Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1483332
MD5:	d0fcc1d2ad23b05b53eefe1137594ddb
SHA1:	21b7f4bcae07c8c229035ef7f5b53be2a7febc54
SHA256:	367699d2c1f464b4c508846de8e1a760df77756492a2503c49a9086a374b5ef0
Tags:	exe
Infos:

Detection

Python Stealer, Amadey, Monster Stealer, RedLine, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: Capture Wi-Fi password

Yara detected Amadeys stealer DLL

Yara detected Monster Stealer

Yara detected Powershell download and execute

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Detected generic credential text file

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Gathers network related connection and port information

Hides threads from debuggers

High number of junk calls founds (likely related to sandbox DOS / API hammering)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Searches for specific processes (likely to inject)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Tries to steal communication platform credentials (via file / registry access)

Uses attrib.exe to hide files

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected Generic Python Stealer

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file overlay found

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Console CodePage Lookup Via CHCP

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php0_	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/ows	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/ro2s	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Local	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/softokn3.dllAw	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php4z	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/stealc/random.exencodedcgN	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/25072023.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8fcf7b8c730804042ba5ce902415450#3.	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/buildred.exeL	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/gawdth.exelF~n#	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/5499d72b3i	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/msvcp140.dllR	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/fac00b58987e8fcf7b8c730804042ba5ce902415453	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/5447jsX.exed	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/5499d72b3a3e55be.php=U	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dllll	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/inc/crypted.exeo	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8fcf7b8c730804042ba5ce902415450#U.	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php32	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/gawdth.exe	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/pr	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/inc/pered.exe	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php17001	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpTemp	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\userGCAFCAFHJJ.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\crypteda[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1317026
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312596
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000002F.00000002.3029002681.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.70/744f169d372be841.php"}
Source: 33.2.crypted.exe.6fcbc0.1.unpack	Malware Configuration Extractor: RedLine {"C2 url": "20.52.165.210:39030", "Bot Id": "LiveTraffic", "Message": "error", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}
Source: axplong.exe.7888.18.memstrmin	Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.16/Jo89Ku7d/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\build[1].exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\buildred[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\crypteda[1].exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gawdth[1].exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2020[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\25072023[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\5447jsX[1].exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\crypted[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000012001\2020.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\1000014001\gawdth.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\userGCAFCAFHJJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\crypteda[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\build[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\pered[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00409BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00418940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0040C660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00407280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00409B10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C5B6C80

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 20.2.97a671ae5d.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 36.2.97a671ae5d.exe.400000.0.unpack

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2470169805.000000006C61D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDabX9_62_CURVEfieldIDcurvebaseordercofactorECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeyossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.2built on: Tue Jun 4 16:20:25 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-ndysxfi8\src\rust\target\release\deps\cryptography_rust.pdbo source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3111615192.00007FF8B61E5000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: stub.exe, 00000019.00000002.3112440354.00007FF8B7892000.00000002.00000001.01000000.0000002E.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: build.exe, 00000018.00000003.2773862520.00000207815C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python3.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042655656.000002606C7D0000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2470169805.000000006C61D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: stub.exe, 00000019.00000002.3120404184.00007FF8BA500000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python310.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: build.exe, 00000018.00000003.2773862520.00000207815C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3111615192.00007FF8B61E5000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3120731805.00007FF8BFAD1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3119029706.00007FF8B9F6D000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-ndysxfi8\src\rust\target\release\deps\cryptography_rust.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://85.28.47.70/744f169d372be841.php
Source: Malware configuration extractor	IPs: 185.215.113.16
Source: Malware configuration extractor	URLs: 20.52.165.210:39030

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 85.28.47.31 85.28.47.31
Source: Joe Sandbox View	IP Address: 185.215.113.19 185.215.113.19

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account"OO equals www.youtube.com (Youtube)
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account.NK equals www.youtube.com (Youtube)
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountMN equals www.youtube.com (Youtube)
Source: 342db65350.exe, 00000017.00000002.3285477229.00000000020B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountt% equals www.youtube.com (Youtube)
Source: 342db65350.exe, 00000017.00000002.3339226587.00000000064B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: x\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)

Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000012.00000002.3270683057.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php-
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php32
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php4z
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpG
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpTemp
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpahR=.
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpeZR
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/2020.exe
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/25072023.exe
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/25072023.exe2
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/5447jsX.exeN
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/5447jsX.exed
Source: axplong.exe, 00000012.00000002.3270683057.000000000150B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/build.exe
Source: axplong.exe, 00000012.00000002.3270683057.000000000150B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/build.exeYH
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/buildred.exe
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/buildred.exeL
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/crypted.exe
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/crypted.exeo
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/crypteda.exe
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/crypteda.exe?x
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/gawdth.exe
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/gawdth.exelF~n#
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/gawdth.exeu
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/pered.exe
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe6Uf
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: file.exe, 00000000.00000002.2464131529.0000000028D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exe2
Source: explorti.exe, 00000013.00000002.3270790823.000000000186E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exe
Source: explorti.exe, 00000013.00000002.3270790823.000000000186E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exedgG
Source: explorti.exe, 00000013.00000002.3270790823.000000000186E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exencodedcgN
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exe
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exeB
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/6165
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Local
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3270790823.0000000001858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php.
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php0_
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php17001
Source: explorti.exe, 00000013.00000002.3270790823.000000000186E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php;
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpN
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpWe
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpf
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpn
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phptch
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpx
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php~
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8fcf7b8c730804042ba5ce902415450#3.
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8fcf7b8c730804042ba5ce902415450#U.
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/d
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/fac00b58987e8fcf7b8c730804042ba5ce902415453
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/ferences.SourceAumid1e/x
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/l
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/lfons
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/ows
Source: file.exe, 00000000.00000002.2441600215.000000000043C000.00000040.00000001.01000000.00000003.sdmp, 97a671ae5d.exe, 00000014.00000002.2744668224.00000000025EE000.00000004.00000020.00020000.00000000.sdmp, 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp, 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp, 97a671ae5d.exe, 00000014.00000002.2744968028.000000000264A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.000000000264A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php
Source: file.exe, 00000000.00000002.2464131529.0000000028D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php2
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php2L
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php8Rx
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php=U
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpGR
Source: file.exe, 00000000.00000002.2469209996.0000000035220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpQ
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpZL
Source: file.exe, 00000000.00000002.2441600215.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phposition:
Source: file.exe, 00000000.00000002.2469209996.0000000035220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpp
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.000000000264A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phps
Source: file.exe, 00000000.00000002.2469209996.0000000035220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3i
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll$3
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll
Source: file.exe, 00000000.00000002.2443375443.0000000002607000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dllR
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dllll
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dllAw
Source: file.exe, 00000000.00000002.2441600215.000000000046A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dll
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/SSC:
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/pr
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.000000000264A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/ro2s
Source: file.exe, 00000000.00000002.2441600215.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.315499d72b3a3e55be.phposition:
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31h
Source: 97a671ae5d.exe, 00000014.00000002.2744668224.00000000025EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31lN$KsW5
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3097971992.000002606F800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.aiohttp.org/en/stable/logging.html#format-specification
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.aiohttp.org/en/stable/logging.html#format-specificationauvloopaset_event_loop_policyaEve
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/jsonacityatimezoneaispaorgaasuMain.GetNetworkInfoT
Source: stub.exe, 00000019.00000003.3025477729.000002606E70F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000006DE000.00000040.00000001.01000000.00000011.sdmp, 342db65350.exe, 00000017.00000000.2736849521.000000000097E000.00000080.00000001.01000000.00000011.sdmp	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000006DE000.00000040.00000001.01000000.00000011.sdmp, 342db65350.exe, 00000017.00000000.2736849521.000000000097E000.00000080.00000001.01000000.00000011.sdmp	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000006DE000.00000040.00000001.01000000.00000011.sdmp, 342db65350.exe, 00000017.00000000.2736849521.000000000097E000.00000080.00000001.01000000.00000011.sdmp	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org:80
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3047040170.000002606E860000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3046738501.000002606E760000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: file.exe, file.exe, 00000000.00000002.2470169805.000000006C61D000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3046738501.000002606E760000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: file.exe, 00000000.00000002.2469773266.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.riotgames.com/api/account/v1/user
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.riotgames.com/api/account/v1/userT
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.reddit.com/api/access_token
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.reddit.com/api/access_tokenaaccess_tokenuandroid:com.example.myredditapp:v1.2.3uBea
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3091985685.000002606F17B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3018700794.000002606F17A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue37179
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/u.pngu.gifuunsupported
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coe.com.vn/
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coe.com.vn/tmp/2.exe
Source: axplong.exe, 00000012.00000002.3270683057.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coe.com.vn/tmp/2.exe9rl
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coe.com.vn/tmp/2.exePw;.
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coe.com.vn/tmp/2.exefdm
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3098111936.000002606F920000.00000004.00001000.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3098111936.000002606F9FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v8/guilds/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v8/guilds/u/invitesainvitesuhttps://discord.gg/acodeuhttps://t.me/monster_fr
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v8/users/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-detection
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-detectionaDeprecationWarningD
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3091985685.000002606F17B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3018700794.000002606F17A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3025477729.000002606E70F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.7/library/asyncio-eventloop.html
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3096267679.000002606F4A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/ssl.html#ssl.OP_NO_COMPRESSION
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/ssl.html#ssl.OP_NO_COMPRESSIONaset_default_verify_pathsuSSL
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://economy.roblox.com/v1/users/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filepreviews.io/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3093364671.000002606F235000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020784420.000002606F235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3091985685.000002606F17B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3018700794.000002606F17A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aio-libs/aiohttp/discussions/6044
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1141)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1158)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1165)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1172)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1187)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1200)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1203)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/136
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/251
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/428
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3091985685.000002606F17B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3018700794.000002606F17A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/pull/28073
Source: stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek).
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gql.twitch.tv/gql
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gql.twitch.tv/gqlT
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hynek.me/articles/import-attrs/)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/accounts/current_user/?edit=true
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/accounts/current_user/?edit=trueuhttps://i.instagram.com/api/v1/users
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/users/
Source: file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3092540180.000002606F1A1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3017617111.000002606F19E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oauth.reddit.com/api/v1/me
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oauth.reddit.com/api/v1/meuNo
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://open.spotify.com/user/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://open.spotify.com/user/u
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/attrs/)
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/justforMonster/injection/main/injection.js
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/justforMonster/injection/main/injection.jsanulluMain.GetInjectionC
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://restores.name/log
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://restores.name/logaYMOVKJ1WAP6PFLQqz
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
Source: stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/monster_free_cloud
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/monster_free_cloud----------------------
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thumbnails.roblox.com/v1/users/avatar?userIds=
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
Source: stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=referral&utm_campa
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/home
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.json
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.jsonareqadescriptionuThere
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/u
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.comarefereruhttps://twitter.com/homeusec-fetch-destaemptyusec-fetch-modeacorsusec-fe
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988&app_language=de-DE&ap
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/FilePreviews.svg
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/Tidelift.svg
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/Variomedia.svg
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/names.html)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html
Source: stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes).
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ibm.com/
Source: stub.exe, 00000019.00000002.3098252283.000002606FB38000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: stub.exe, 00000019.00000002.3097843536.000002606F6C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2441600215.000000000043C000.00000040.00000001.01000000.00000003.sdmp, stub.exe, 00000019.00000002.3096504690.000002606F620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2158189642.000000002EF53000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2441600215.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2158189642.000000002EF53000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2441600215.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2158189642.000000002EF53000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: build.exe, 00000018.00000003.2773862520.00000207816B1000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3092540180.000002606F1A1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3017617111.000002606F19E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0506/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/user/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/user/acomment_karmaatotal_karmaais_modais_goldais_suspendedaprofileUrlu
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.roblox.com/my/account/json
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.roblox.com/my/account/jsonuhttps://economy.roblox.com/v1/users/aresaUserIdu/currencyuhtt
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.spotify.com/api/account-settings/v1/profile
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.spotify.com/api/account-settings/v1/profileatextaloadsaprofileagenderabirthdateu
Source: stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok_web&ba
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.twitch.tv/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.twitch.tv/adisplayNameahasPrimeaisPartneralanguageaprofileImageURLabitsBalanceatotalCoun
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.variomedia.de/
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account.NK
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountMN
Source: 342db65350.exe, 00000017.00000002.3285477229.00000000020B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountt%
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zopeinterface.readthedocs.io/en/latest/

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Installs a raw input device (often for capturing keystrokes)

Source: 342db65350.exe, 00000017.00000002.3285477229.00000000020B5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICESl 3

memstr_c710819a-7

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: 342db65350.exe PID: 5516, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000024.00000002.2850300180.00000000026D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000014.00000002.2744587061.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2443328439.00000000025ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2443697846.00000000040E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000024.00000002.2851004349.00000000040D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000014.00000002.2744921977.00000000025FD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Binary is likely a compiled AutoIt script file

Source: 342db65350.exe, 00000017.00000002.3262699829.0000000000182000.00000040.00000001.01000000.00000011.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_6e105682-5
Source: 342db65350.exe, 00000017.00000002.3262699829.0000000000182000.00000040.00000001.01000000.00000011.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_a06a6a42-c

PE file contains section with special chars

Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name:
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: .idata
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name:
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name:
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: .idata
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name:
Source: explorti.exe.5.dr	Static PE information: section name:
Source: explorti.exe.5.dr	Static PE information: section name: .idata
Source: explorti.exe.5.dr	Static PE information: section name:
Source: axplong.exe.8.dr	Static PE information: section name:
Source: axplong.exe.8.dr	Static PE information: section name: .idata
Source: axplong.exe.8.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C60B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C60B700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C60B8C0 rand_s,NtQueryVirtualMemory,	0_2_6C60B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C60B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C60B910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5AF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C5AF280

Creates files inside the system directory

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	File created: C:\Windows\Tasks\explorti.job			Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5A35A0	0_2_6C5A35A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B5440	0_2_6C5B5440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C61545C	0_2_6C61545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C61542B	0_2_6C61542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E5C10	0_2_6C5E5C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5F2C10	0_2_6C5F2C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C61AC00	0_2_6C61AC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5CD4D0	0_2_6C5CD4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B64C0	0_2_6C5B64C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E6CF0	0_2_6C5E6CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5AD4E0	0_2_6C5AD4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6034A0	0_2_6C6034A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C60C4A0	0_2_6C60C4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B6C80	0_2_6C5B6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5CED10	0_2_6C5CED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5D0512	0_2_6C5D0512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5BFD00	0_2_6C5BFD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E0DD0	0_2_6C5E0DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6085F0	0_2_6C6085F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C616E63	0_2_6C616E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5C9E50	0_2_6C5C9E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E3E50	0_2_6C5E3E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5F2E4E	0_2_6C5F2E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5C4640	0_2_6C5C4640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5AC670	0_2_6C5AC670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E7E10	0_2_6C5E7E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C609E30	0_2_6C609E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5F5600	0_2_6C5F5600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6176E3	0_2_6C6176E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5ABEF0	0_2_6C5ABEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5BFEF0	0_2_6C5BFEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C604EA0	0_2_6C604EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5C5E90	0_2_6C5C5E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C60E680	0_2_6C60E680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E7710	0_2_6C5E7710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B9F00	0_2_6C5B9F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5D6FF0	0_2_6C5D6FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5ADFE0	0_2_6C5ADFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5F77A0	0_2_6C5F77A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5C8850	0_2_6C5C8850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5CD850	0_2_6C5CD850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5EF070	0_2_6C5EF070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B7810	0_2_6C5B7810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5EB820	0_2_6C5EB820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5F4820	0_2_6C5F4820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6150C7	0_2_6C6150C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5CC0E0	0_2_6C5CC0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E58E0	0_2_6C5E58E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5D60A0	0_2_6C5D60A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C61B170	0_2_6C61B170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5CA940	0_2_6C5CA940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5FB970	0_2_6C5FB970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5BD960	0_2_6C5BD960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E5190	0_2_6C5E5190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5DD9B0	0_2_6C5DD9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C602990	0_2_6C602990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5AC9A0	0_2_6C5AC9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E9A60	0_2_6C5E9A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E8AC0	0_2_6C5E8AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5C1AF0	0_2_6C5C1AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5EE2F0	0_2_6C5EE2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C612AB0	0_2_6C612AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5BCAB0	0_2_6C5BCAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C61BA90	0_2_6C61BA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5A22A0	0_2_6C5A22A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5D4AA0	0_2_6C5D4AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5A5340	0_2_6C5A5340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5BC370	0_2_6C5BC370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5ED320	0_2_6C5ED320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6153C8	0_2_6C6153C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5AF380	0_2_6C5AF380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65AC60	0_2_6C65AC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72AC30	0_2_6C72AC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C716C00	0_2_6C716C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64ECC0	0_2_6C64ECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AECD0	0_2_6C6AECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71ED70	0_2_6C71ED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C77AD50	0_2_6C77AD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D8D20	0_2_6C7D8D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7DCDC0	0_2_6C7DCDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C654DB0	0_2_6C654DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E6D90	0_2_6C6E6D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EEE70	0_2_6C6EEE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C730E20	0_2_6C730E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65AEC0	0_2_6C65AEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F0EC0	0_2_6C6F0EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D6E90	0_2_6C6D6E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C712F70	0_2_6C712F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BEF40	0_2_6C6BEF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790F20	0_2_6C790F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C656F10	0_2_6C656F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72EFF0	0_2_6C72EFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C650FE0	0_2_6C650FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C798FB0	0_2_6C798FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65EFB0	0_2_6C65EFB0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00404610 appears 316 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C5DCBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C5E94D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C7D09D0 appears 51 times

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 2260

PE file overlay found

Source: 2.exe.18.dr	Static PE information: Data appended to the last section found
Source: 2[1].exe.18.dr	Static PE information: Data appended to the last section found

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.1992970608.000000000244C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Source: file.exe, 00000000.00000002.2470654873.000000006C825000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2470246607.000000006C632000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2464131529.0000000028D8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs file.exe
Source: file.exe, 00000000.00000002.2464131529.0000000028D8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000024.00000002.2850300180.00000000026D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000014.00000002.2744587061.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2443328439.00000000025ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2443697846.00000000040E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000024.00000002.2851004349.00000000040D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000014.00000002.2744921977.00000000025FD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: random[1].exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2[1].exe.18.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2.exe.18.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: random[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997705344945356
Source: random[1].exe.0.dr	Static PE information: Section: jnaccepv ZLIB complexity 0.9946529587866425
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997705344945356
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: Section: jnaccepv ZLIB complexity 0.9946529587866425
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973390667574932
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: Section: rkxzdssx ZLIB complexity 0.9944472371164731
Source: explorti.exe.5.dr	Static PE information: Section: ZLIB complexity 0.9997705344945356
Source: explorti.exe.5.dr	Static PE information: Section: jnaccepv ZLIB complexity 0.9946529587866425
Source: axplong.exe.8.dr	Static PE information: Section: ZLIB complexity 0.9973390667574932
Source: axplong.exe.8.dr	Static PE information: Section: rkxzdssx ZLIB complexity 0.9944472371164731
Source: crypteda[1].exe.18.dr	Static PE information: Section: .data ZLIB complexity 0.9957952789319011
Source: crypteda.exe.18.dr	Static PE information: Section: .data ZLIB complexity 0.9957952789319011

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@129/133@0/13

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C607030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C607030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\T3J5110P.htm

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7332
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7188
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Mutant created: \Sessions\1\BaseNamedObjects\M
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6456
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2443165283.00000000025DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT url FROM urls LIMIT 1000S$;
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.2083091335.00000000026C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069906964.0000000022C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082464293.0000000022CA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: RoamingIDBGHDGHCG.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: userGCAFCAFHJJ.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGCAFCAFHJJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGCAFCAFHJJ.exe "C:\Users\userGCAFCAFHJJ.exe"
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 2260
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\userGCAFCAFHJJ.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe "C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7188 -s 1040
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe "C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000001001\build.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe "C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe "C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe"
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7332 -s 1320
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGCAFCAFHJJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGCAFCAFHJJ.exe "C:\Users\userGCAFCAFHJJ.exe"	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000001001\build.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe "C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe "C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe "C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe""
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: python310.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: libffi-7.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: python3.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: libssl-1_1.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2470169805.000000006C61D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDabX9_62_CURVEfieldIDcurvebaseordercofactorECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeyossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.2built on: Tue Jun 4 16:20:25 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-ndysxfi8\src\rust\target\release\deps\cryptography_rust.pdbo source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3111615192.00007FF8B61E5000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: stub.exe, 00000019.00000002.3112440354.00007FF8B7892000.00000002.00000001.01000000.0000002E.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: build.exe, 00000018.00000003.2773862520.00000207815C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python3.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042655656.000002606C7D0000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2470169805.000000006C61D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: stub.exe, 00000019.00000002.3120404184.00007FF8BA500000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python310.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: build.exe, 00000018.00000003.2773862520.00000207815C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3111615192.00007FF8B61E5000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3120731805.00007FF8BFAD1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3119029706.00007FF8B9F6D000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-ndysxfi8\src\rust\target\release\deps\cryptography_rust.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.maduco:R;.gubogus:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Unpacked PE file: 5.2.RoamingIDBGHDGHCG.exe.2e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW;
Source: C:\Users\userGCAFCAFHJJ.exe	Unpacked PE file: 8.2.userGCAFCAFHJJ.exe.360000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 9.2.explorti.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 13.2.explorti.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 15.2.axplong.exe.280000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 18.2.axplong.exe.280000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 19.2.explorti.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 20.2.97a671ae5d.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.maduco:R;.gubogus:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Unpacked PE file: 23.2.342db65350.exe.c0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 36.2.97a671ae5d.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.maduco:R;.gubogus:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 20.2.97a671ae5d.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 36.2.97a671ae5d.exe.400000.0.unpack

Binary contains a suspicious time stamp

Source: 25072023[1].exe.18.dr

Static PE information: 0xBD051842 [Sun Jun 29 00:35:14 2070 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004195E0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: crypteda.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x168d60
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: real checksum: 0x1e2bee should be: 0x1e2634
Source: gawdth[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xe84a7
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: real checksum: 0x1d7fc2 should be: 0x1d1201
Source: axplong.exe.8.dr	Static PE information: real checksum: 0x1e2bee should be: 0x1e2634
Source: 2.exe.18.dr	Static PE information: real checksum: 0x483a7 should be: 0x30585
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x1d7fc2 should be: 0x1d1201
Source: 5447jsX[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x6c443
Source: 25072023.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x4f6f6
Source: explorti.exe.5.dr	Static PE information: real checksum: 0x1d7fc2 should be: 0x1d1201
Source: gawdth.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xe84a7
Source: buildred.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x56436
Source: crypted[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xf7aaf
Source: 25072023[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x4f6f6
Source: buildred[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x56436
Source: crypted.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xf7aaf
Source: 5447jsX.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x6c443
Source: 2[1].exe.18.dr	Static PE information: real checksum: 0x483a7 should be: 0x30585
Source: crypteda[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x168d60

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: .maduco
Source: file.exe	Static PE information: section name: .gubogus
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: jnaccepv
Source: random[1].exe.0.dr	Static PE information: section name: oirghrul
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name:
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: .idata
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name:
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: jnaccepv
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: oirghrul
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: .taggant
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name:
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: .idata
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name:
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: rkxzdssx
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: opdalfsp
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe0.0.dr	Static PE information: section name: .maduco
Source: random[1].exe0.0.dr	Static PE information: section name: .gubogus
Source: explorti.exe.5.dr	Static PE information: section name:
Source: explorti.exe.5.dr	Static PE information: section name: .idata
Source: explorti.exe.5.dr	Static PE information: section name:
Source: explorti.exe.5.dr	Static PE information: section name: jnaccepv
Source: explorti.exe.5.dr	Static PE information: section name: oirghrul
Source: explorti.exe.5.dr	Static PE information: section name: .taggant
Source: axplong.exe.8.dr	Static PE information: section name:
Source: axplong.exe.8.dr	Static PE information: section name: .idata
Source: axplong.exe.8.dr	Static PE information: section name:
Source: axplong.exe.8.dr	Static PE information: section name: rkxzdssx
Source: axplong.exe.8.dr	Static PE information: section name: opdalfsp
Source: axplong.exe.8.dr	Static PE information: section name: .taggant
Source: crypteda[1].exe.18.dr	Static PE information: section name: .zzZ
Source: crypteda.exe.18.dr	Static PE information: section name: .zzZ
Source: 5447jsX[1].exe.18.dr	Static PE information: section name: .zzZ
Source: 5447jsX.exe.18.dr	Static PE information: section name: .zzZ
Source: 2[1].exe.18.dr	Static PE information: section name: .kic
Source: 2[1].exe.18.dr	Static PE information: section name: .yuh
Source: 2.exe.18.dr	Static PE information: section name: .kic
Source: 2.exe.18.dr	Static PE information: section name: .yuh
Source: pered[1].exe.18.dr	Static PE information: section name: _RDATA
Source: pered.exe.18.dr	Static PE information: section name: _RDATA
Source: gawdth[1].exe.18.dr	Static PE information: section name: .didat
Source: gawdth[1].exe.18.dr	Static PE information: section name: _RDATA
Source: gawdth.exe.18.dr	Static PE information: section name: .didat
Source: gawdth.exe.18.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A9F5 push ecx; ret		0_2_0041AA08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5DB536 push ecx; ret		0_2_6C5DB549

Source: file.exe	Static PE information: section name: .text entropy: 7.8226282857662985
Source: random[1].exe.0.dr	Static PE information: section name: entropy: 7.982538775715216
Source: random[1].exe.0.dr	Static PE information: section name: jnaccepv entropy: 7.9543392745735515
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: entropy: 7.982538775715216
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: jnaccepv entropy: 7.9543392745735515
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: entropy: 7.984653502366883
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: rkxzdssx entropy: 7.954277440139706
Source: random[1].exe0.0.dr	Static PE information: section name: .text entropy: 7.8226282857662985
Source: explorti.exe.5.dr	Static PE information: section name: entropy: 7.982538775715216
Source: explorti.exe.5.dr	Static PE information: section name: jnaccepv entropy: 7.9543392745735515
Source: axplong.exe.8.dr	Static PE information: section name: entropy: 7.984653502366883
Source: axplong.exe.8.dr	Static PE information: section name: rkxzdssx entropy: 7.954277440139706
Source: 2[1].exe.18.dr	Static PE information: section name: .text entropy: 7.772647603957998
Source: 2.exe.18.dr	Static PE information: section name: .text entropy: 7.772647603957998

Persistence and Installation Behavior

Uses attrib.exe to hide files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\buildred[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gawdth[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_cffi_backend.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_http_writer.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\crypteda[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\userGCAFCAFHJJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\pered[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2020[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\multidict\_multidict.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\yarl\_quoting_c.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\build[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000012001\2020.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\charset_normalizer\md__mypyc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_helpers.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\5447jsX[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_decimal.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\frozenlist\_frozenlist.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_websocket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\charset_normalizer\md.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_http_parser.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\25072023[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000005001\2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\crypted[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000010001\pered.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000014001\gawdth.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\userGCAFCAFHJJ.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_uuid.pyd	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 97a671ae5d.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 342db65350.exe

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass

Creates job files (autostart)

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 97a671ae5d.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 97a671ae5d.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 342db65350.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 342db65350.exe

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

High number of junk calls founds (likely related to sandbox DOS / API hammering)

Source: Global behavior

Junk call stats: NtWriteFile 1446916

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Description, ProviderName FROM Win32_LogicalDisk

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UFIDDLER.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: USBIEDLL.DLLUANTIVM.CHECKDLLT
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UXENSERVICE.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UWIRESHARK.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UOLLYDBG.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: USBIEDLL.DLL
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UVMTOOLSD.EXEUVMWARETRAY.EXEUVMACTHLP.EXEUVBOXTRAY.EXEUVBOXSERVICE.EXEUVMSRVC.EXEUPRL_TOOLS.EXEUXENSERVICE.EXEUANTIVM.CHECKPROCESST
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPROCESSHACKER.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UQEMU-GA.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UVMUSRVC.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 34EC2C second address: 34EC30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 34EC30 second address: 34EC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4BFEB3 second address: 4BFEB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4BFEB9 second address: 4BFEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E4Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4BFEC7 second address: 4BFECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C0014 second address: 4C001E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C001E second address: 4C002A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F0950FC2076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C002A second address: 4C0043 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F0950EB8E4Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C377D second address: 4C378A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C378A second address: 4C378F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3889 second address: 4C3895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3895 second address: 4C38F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jp 00007F0950EB8E4Eh 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007F0950EB8E54h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 jo 00007F0950EB8E5Ch 0x00000026 jmp 00007F0950EB8E56h 0x0000002b push eax 0x0000002c push edx 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C39C2 second address: 4C39C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3A36 second address: 4C3A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3A3A second address: 4C3A44 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0950FC2076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3A44 second address: 4C3A4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3A4A second address: 4C3A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3A4E second address: 4C3AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor dword ptr [ebp+122D19EFh], ecx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F0950EB8E48h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d movzx ecx, ax 0x00000030 call 00007F0950EB8E49h 0x00000035 push ebx 0x00000036 push esi 0x00000037 pushad 0x00000038 popad 0x00000039 pop esi 0x0000003a pop ebx 0x0000003b push eax 0x0000003c push ebx 0x0000003d jmp 00007F0950EB8E4Fh 0x00000042 pop ebx 0x00000043 mov eax, dword ptr [esp+04h] 0x00000047 jmp 00007F0950EB8E4Fh 0x0000004c mov eax, dword ptr [eax] 0x0000004e push eax 0x0000004f push edx 0x00000050 jno 00007F0950EB8E48h 0x00000056 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3AC1 second address: 4C3B84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F0950FC2089h 0x00000012 pop eax 0x00000013 sub dword ptr [ebp+122D1A41h], ebx 0x00000019 push 00000003h 0x0000001b mov ecx, dword ptr [ebp+122D39EAh] 0x00000021 push 00000000h 0x00000023 or dword ptr [ebp+122D1AF4h], eax 0x00000029 push 00000003h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F0950FC2078h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 call 00007F0950FC2079h 0x0000004a jmp 00007F0950FC207Eh 0x0000004f push eax 0x00000050 pushad 0x00000051 jg 00007F0950FC207Ch 0x00000057 jnc 00007F0950FC207Ch 0x0000005d popad 0x0000005e mov eax, dword ptr [esp+04h] 0x00000062 jmp 00007F0950FC2080h 0x00000067 mov eax, dword ptr [eax] 0x00000069 push eax 0x0000006a push edx 0x0000006b js 00007F0950FC2080h 0x00000071 jmp 00007F0950FC207Ah 0x00000076 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3B84 second address: 4C3B8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3B8A second address: 4C3B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3B8E second address: 4C3B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3B92 second address: 4C3BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push edx 0x0000000d jnc 00007F0950FC2078h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dword ptr [ebp+122D1BAEh], eax 0x0000001b lea ebx, dword ptr [ebp+124484F2h] 0x00000021 mov dword ptr [ebp+122D1A89h], eax 0x00000027 xchg eax, ebx 0x00000028 pushad 0x00000029 jmp 00007F0950FC2088h 0x0000002e jmp 00007F0950FC2088h 0x00000033 popad 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jns 00007F0950FC2078h 0x0000003d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3BF9 second address: 4C3BFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4A0B second address: 4E4A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950FC2087h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4A26 second address: 4E4A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4A2A second address: 4E4A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2AF3 second address: 4E2AF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2AF8 second address: 4E2B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jo 00007F0950FC2076h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2B0C second address: 4E2B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0950EB8E46h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jl 00007F0950EB8E6Dh 0x00000013 jmp 00007F0950EB8E4Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a jng 00007F0950EB8E46h 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2C64 second address: 4E2C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2C69 second address: 4E2C93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E58h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2C93 second address: 4E2CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007F0950FC2076h 0x0000000e jg 00007F0950FC2076h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2F3D second address: 4E2F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2F41 second address: 4E2F78 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F0950FC2085h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F0950FC207Fh 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2F78 second address: 4E2F82 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2F82 second address: 4E2F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2F88 second address: 4E2F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E37FB second address: 4E3801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E3AE7 second address: 4E3AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E3AED second address: 4E3B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2080h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E3B02 second address: 4E3B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E3B07 second address: 4E3B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E3B10 second address: 4E3B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B5778 second address: 4B5795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0950FC2081h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B5795 second address: 4B57BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0950EB8E50h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F0950EB8E4Fh 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B57BE second address: 4B57CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4336 second address: 4E4348 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F0950EB8E48h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4348 second address: 4E434E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4496 second address: 4E449A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B21F8 second address: 4B21FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4EFA44 second address: 4EFA48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4EFA48 second address: 4EFA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0950FC2085h 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4EFC20 second address: 4EFC24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4EFC24 second address: 4EFC2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4EFC2A second address: 4EFC2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0044 second address: 4F0070 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F0950FC208Eh 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007F0950FC2086h 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0070 second address: 4F0076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F01F4 second address: 4F0206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F0950FC2078h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0206 second address: 4F021C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0950EB8E4Eh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F021C second address: 4F0226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0950FC2076h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0226 second address: 4F022A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F247E second address: 4F24A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F0950FC2089h 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ebx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2632 second address: 4F263A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F263A second address: 4F263E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F263E second address: 4F264B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F264B second address: 4F264F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2AF9 second address: 4F2B0A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0950EB8E48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2B0A second address: 4F2B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2B10 second address: 4F2B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2C85 second address: 4F2CAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0950FC2080h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F31D1 second address: 4F31FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d mov edi, esi 0x0000000f mov edi, dword ptr [ebp+12447145h] 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0950EB8E4Fh 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F31FA second address: 4F320C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F33C8 second address: 4F33CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F4BA1 second address: 4F4BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F4BA5 second address: 4F4BD9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F0950EB8E57h 0x00000010 pop esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0950EB8E4Eh 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F4BD9 second address: 4F4BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F4BDF second address: 4F4BF5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0950EB8E4Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F525C second address: 4F5262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F5262 second address: 4F5267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F83FD second address: 4F8402 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F65D7 second address: 4F65DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F973F second address: 4F9743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F9743 second address: 4F9747 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4FA202 second address: 4FA206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4FACD6 second address: 4FACDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4FA206 second address: 4FA21B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4FB8D0 second address: 4FB8D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B8EB1 second address: 4B8EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B8EB7 second address: 4B8EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50287C second address: 502881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 502881 second address: 50288B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0950EB8E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5036CC second address: 5036E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0950FC207Ah 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5029E2 second address: 5029E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5036E1 second address: 503748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call 00007F0950FC2086h 0x0000000f call 00007F0950FC207Bh 0x00000014 mov ebx, dword ptr [ebp+122D392Eh] 0x0000001a pop edi 0x0000001b pop edi 0x0000001c push 00000000h 0x0000001e add bx, 49E2h 0x00000023 push 00000000h 0x00000025 jmp 00007F0950FC2087h 0x0000002a push eax 0x0000002b push edi 0x0000002c jc 00007F0950FC207Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5029E6 second address: 5029EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50391A second address: 503920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 503920 second address: 503947 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F0950EB8E5Ch 0x00000011 jmp 00007F0950EB8E56h 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 504979 second address: 50497F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 505810 second address: 505814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50497F second address: 504984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50779B second address: 50779F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50779F second address: 50781E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0950FC2082h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov di, dx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F0950FC2078h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e xor dword ptr [ebp+122D1AEEh], edi 0x00000034 mov edi, dword ptr [ebp+122D39DAh] 0x0000003a push 00000000h 0x0000003c mov ebx, dword ptr [ebp+122D3902h] 0x00000042 jmp 00007F0950FC207Dh 0x00000047 xchg eax, esi 0x00000048 jmp 00007F0950FC2089h 0x0000004d push eax 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 509715 second address: 509732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E58h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 509732 second address: 509797 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F0950FC2083h 0x0000000f xor edi, 6C866231h 0x00000015 push 00000000h 0x00000017 mov ebx, edi 0x00000019 push 00000000h 0x0000001b mov bx, ax 0x0000001e xchg eax, esi 0x0000001f push edi 0x00000020 push edi 0x00000021 jmp 00007F0950FC207Bh 0x00000026 pop edi 0x00000027 pop edi 0x00000028 push eax 0x00000029 pushad 0x0000002a jnl 00007F0950FC208Dh 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 pop edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50890B second address: 508910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 508910 second address: 508932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0950FC2087h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 508932 second address: 50893D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F0950EB8E46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50A772 second address: 50A78B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F0950FC2076h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F0950FC207Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50A78B second address: 50A78F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5098F4 second address: 5098F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50A78F second address: 50A799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50A799 second address: 50A7EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jc 00007F0950FC207Bh 0x0000000f mov edi, 46575ED7h 0x00000014 push 00000000h 0x00000016 pushad 0x00000017 adc di, DC67h 0x0000001c jns 00007F0950FC2076h 0x00000022 popad 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007F0950FC2078h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f mov dword ptr [ebp+12448D69h], edi 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50A7EE second address: 50A7F8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50B5DB second address: 50B5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50B5DF second address: 50B5E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50B5E3 second address: 50B60F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007F0950FC2086h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 jo 00007F0950FC2080h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50D4D7 second address: 50D4DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50D4DB second address: 50D4E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50F5F9 second address: 50F607 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F0950EB8E46h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50F607 second address: 50F60B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50E851 second address: 50E857 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5197C5 second address: 5197D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0950FC2076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5197D1 second address: 5197D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51993B second address: 519950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F0950FC2076h 0x0000000c popad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 519950 second address: 519956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 519956 second address: 519960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 519960 second address: 519964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 519C20 second address: 519C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FCB4 second address: 51FCB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FCB8 second address: 51FCBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FCBC second address: 51FCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jne 00007F0950EB8E54h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0950EB8E58h 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FCF7 second address: 51FD13 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0950FC2076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jmp 00007F0950FC207Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FE1A second address: 51FE1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FE1F second address: 51FE5E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0950FC207Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007F0950FC208Ch 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jbe 00007F0950FC2096h 0x0000001b push eax 0x0000001c push edx 0x0000001d je 00007F0950FC2076h 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FE5E second address: 51FE82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jnc 00007F0950EB8E46h 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FFFF second address: 520017 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jno 00007F0950FC2076h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F0950FC2076h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 520017 second address: 52001B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52001B second address: 52002E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52002E second address: 520064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0950EB8E56h 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 524FEE second address: 524FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5242D4 second address: 5242E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 ja 00007F0950EB8E4Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5242E3 second address: 5242ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5242ED second address: 5242F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5249C2 second address: 5249C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5249C8 second address: 5249FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 js 00007F0950EB8E46h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F0950EB8E4Eh 0x00000013 popad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007F0950EB8E46h 0x0000001d jmp 00007F0950EB8E4Fh 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5249FD second address: 524A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2085h 0x00000007 jmp 00007F0950FC2080h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 524A2A second address: 524A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52A95C second address: 52A965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52A965 second address: 52A981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E50h 0x00000007 jo 00007F0950EB8E4Eh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52A981 second address: 52A99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jmp 00007F0950FC2080h 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52A99D second address: 52A9A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AAFD second address: 52AB22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2087h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F0950FC207Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AB22 second address: 52AB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AB28 second address: 52AB3D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0950FC207Bh 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AB3D second address: 52AB41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AF54 second address: 52AF5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AF5C second address: 52AF66 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0950EB8E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52B0C2 second address: 52B0F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 jmp 00007F0950FC207Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F0950FC2086h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52B0F8 second address: 52B10D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0950EB8E4Eh 0x00000008 push esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52B3A1 second address: 52B3A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52CE59 second address: 52CE78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0950EB8E52h 0x0000000d pop edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52CE78 second address: 52CE98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2088h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 531776 second address: 531798 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0950EB8E4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0950EB8E4Eh 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 531798 second address: 5317A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F0950FC2076h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5317A2 second address: 5317A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5317A6 second address: 5317B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5317B1 second address: 5317F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E57h 0x00000009 jl 00007F0950EB8E46h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0950EB8E55h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5317F0 second address: 5317F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5317F4 second address: 531829 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Fh 0x00000007 jmp 00007F0950EB8E52h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F0950EB8E50h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 531829 second address: 531854 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0950FC207Eh 0x00000008 pushad 0x00000009 jl 00007F0950FC2076h 0x0000000f jnp 00007F0950FC2076h 0x00000015 jmp 00007F0950FC207Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53065B second address: 53065F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53065F second address: 53066B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53066B second address: 53066F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53066F second address: 530683 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F0950FC2076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F0950FC2076h 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 530683 second address: 530687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0D0B second address: 4F0D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0E03 second address: 4F0E28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F0950EB8E57h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0E28 second address: 4F0E2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0F2C second address: 4F0F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F13CC second address: 34EC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, edx 0x0000000b push dword ptr [ebp+122D13D1h] 0x00000011 jmp 00007F0950FC2080h 0x00000016 call dword ptr [ebp+122D1BA9h] 0x0000001c pushad 0x0000001d pushad 0x0000001e cld 0x0000001f mov cx, dx 0x00000022 popad 0x00000023 xor eax, eax 0x00000025 jmp 00007F0950FC207Dh 0x0000002a mov edx, dword ptr [esp+28h] 0x0000002e cld 0x0000002f mov dword ptr [ebp+122D3936h], eax 0x00000035 add dword ptr [ebp+122D18E6h], edi 0x0000003b mov esi, 0000003Ch 0x00000040 mov dword ptr [ebp+122D1A41h], ebx 0x00000046 add esi, dword ptr [esp+24h] 0x0000004a jmp 00007F0950FC2085h 0x0000004f stc 0x00000050 lodsw 0x00000052 jmp 00007F0950FC2086h 0x00000057 add eax, dword ptr [esp+24h] 0x0000005b mov dword ptr [ebp+122D1A09h], ebx 0x00000061 mov ebx, dword ptr [esp+24h] 0x00000065 mov dword ptr [ebp+122D1962h], eax 0x0000006b nop 0x0000006c jmp 00007F0950FC2087h 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 jmp 00007F0950FC207Dh 0x0000007b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1542 second address: 4F1558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1558 second address: 4F155C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F15F0 second address: 4F15F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F15F6 second address: 4F1642 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0950FC2076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F0950FC2084h 0x00000012 xchg eax, esi 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F0950FC2078h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov di, F8E6h 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push edx 0x00000037 pop edx 0x00000038 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1642 second address: 4F164C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F176E second address: 4F1780 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1849 second address: 4F184D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F184D second address: 4F1869 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F195B second address: 4F1965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1939 second address: 4F195B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0950FC2089h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1CAB second address: 4F1D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0950EB8E46h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F0950EB8E4Bh 0x00000013 jnc 00007F0950EB8E4Ch 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F0950EB8E48h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 and edi, 4A5FFD51h 0x0000003b push 0000001Eh 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F0950EB8E48h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 sbb dh, FFFFFFC2h 0x0000005a xor edx, 326207A1h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 pushad 0x00000065 popad 0x00000066 jnp 00007F0950EB8E46h 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2074 second address: 4F2078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2078 second address: 4F20E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0950EB8E4Fh 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov edx, dword ptr [ebp+122D1AEEh] 0x00000018 lea eax, dword ptr [ebp+12475ACBh] 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F0950EB8E48h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 and edi, dword ptr [ebp+122D18FFh] 0x0000003e nop 0x0000003f pushad 0x00000040 jmp 00007F0950EB8E50h 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F20E3 second address: 4DB328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jnp 00007F0950FC208Dh 0x0000000d nop 0x0000000e je 00007F0950FC2078h 0x00000014 mov dh, 48h 0x00000016 lea eax, dword ptr [ebp+12475A87h] 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007F0950FC2078h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 sub edx, dword ptr [ebp+122D3AE6h] 0x0000003c push eax 0x0000003d jnp 00007F0950FC207Ah 0x00000043 mov dword ptr [esp], eax 0x00000046 jnp 00007F0950FC207Ah 0x0000004c call dword ptr [ebp+12455757h] 0x00000052 js 00007F0950FC20A8h 0x00000058 push esi 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4DB328 second address: 4DB32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4DB32E second address: 4DB338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 530959 second address: 530966 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 530B03 second address: 530B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0950FC2076h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 530EE1 second address: 530EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0950EB8E46h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 530EEC second address: 530EF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 je 00007F0950FC2076h 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 531165 second address: 531170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0950EB8E46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5312EC second address: 5312F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 535A68 second address: 535A8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Fh 0x00000007 jmp 00007F0950EB8E50h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B8B7 second address: 53B8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B8BC second address: 53B8C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B8C2 second address: 53B8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4AD14F second address: 4AD160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0950EB8E4Bh 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A488 second address: 53A48E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A876 second address: 53A87A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A87A second address: 53A880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A880 second address: 53A886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A886 second address: 53A8A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2088h 0x00000007 jp 00007F0950FC2082h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A8A8 second address: 53A8AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53AB5D second address: 53AB63 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B114 second address: 53B11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B262 second address: 53B282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2089h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B6B0 second address: 53B6C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F0950EB8E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B6C0 second address: 53B6DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2089h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B6DD second address: 53B6E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push ecx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B6E8 second address: 53B6EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B6EE second address: 53B6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A070 second address: 53A084 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 jo 00007F0950FC2082h 0x0000000c jc 00007F0950FC2076h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 541566 second address: 54156C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54156C second address: 541570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5416E4 second address: 5416E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5416E9 second address: 5416EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5416EF second address: 541712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E54h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F0950EB8E46h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54199E second address: 5419A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54585C second address: 545862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 545862 second address: 545866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 545866 second address: 545877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F0950EB8E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AD03 second address: 54AD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AD07 second address: 54AD19 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0950EB8E46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AFC2 second address: 54AFD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0950FC2076h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AFD3 second address: 54AFD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AFD7 second address: 54AFDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AFDD second address: 54AFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jno 00007F0950EB8E46h 0x00000010 jmp 00007F0950EB8E51h 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54B51A second address: 54B522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54B522 second address: 54B530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jns 00007F0950EB8E46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54B530 second address: 54B562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2081h 0x00000009 popad 0x0000000a push ecx 0x0000000b jmp 00007F0950FC2089h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54B68B second address: 54B690 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54C00F second address: 54C020 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54FD8C second address: 54FD9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54FD9A second address: 54FDB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950FC2089h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 550087 second address: 550095 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0950EB8E4Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 550095 second address: 55009F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55009F second address: 5500A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5500A8 second address: 5500C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5500C2 second address: 5500CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5500CC second address: 5500E4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0950FC2076h 0x00000008 jno 00007F0950FC2076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F0950FC2076h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 554499 second address: 5544B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0950EB8E50h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553D40 second address: 553D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0950FC2083h 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553ECA second address: 553ED6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0950EB8E46h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553ED6 second address: 553EEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F0950FC2076h 0x0000000b popad 0x0000000c je 00007F0950FC2082h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553EEA second address: 553EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553EF0 second address: 553F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0950FC207Eh 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553F08 second address: 553F22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F0950EB8E52h 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55B1C2 second address: 55B1C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55B1C6 second address: 55B1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0950EB8E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jno 00007F0950EB8E46h 0x00000016 js 00007F0950EB8E46h 0x0000001c jmp 00007F0950EB8E58h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55C53A second address: 55C540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55C540 second address: 55C546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55CA9D second address: 55CAAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F0950FC2076h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55CAAB second address: 55CAD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F0950EB8E48h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55CAD5 second address: 55CAE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55CAE3 second address: 55CB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0950EB8E5Ch 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jg 00007F0950EB8E46h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55CB12 second address: 55CB1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 561A53 second address: 561A8A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0950EB8E4Eh 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0950EB8E51h 0x00000015 push ebx 0x00000016 ja 00007F0950EB8E46h 0x0000001c jnp 00007F0950EB8E46h 0x00000022 pop ebx 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565BC6 second address: 565BE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2088h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565BE2 second address: 565BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F0950EB8E46h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F0950EB8E4Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565BFD second address: 565C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565C02 second address: 565C09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565C09 second address: 565C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565C14 second address: 565C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565C1A second address: 565C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565C1E second address: 565C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 564CDD second address: 564CEE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jne 00007F0950FC2076h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565171 second address: 5651AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007F0950EB8E58h 0x0000000f ja 00007F0950EB8E4Ch 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56562F second address: 565647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2084h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565647 second address: 56564D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5658D1 second address: 5658D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5658D7 second address: 5658E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 570106 second address: 570123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F0950FC2076h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0950FC207Eh 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 570123 second address: 570136 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0950EB8E46h 0x00000008 jno 00007F0950EB8E46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 570136 second address: 57013C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56E283 second address: 56E2B4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0950EB8E4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jbe 00007F0950EB8E4Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0950EB8E50h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56E2B4 second address: 56E2BE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0950FC2076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56E9C1 second address: 56E9E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F0950EB8E4Ah 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56ECBB second address: 56ECDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2087h 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56ECDA second address: 56ECDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56ECDE second address: 56ECFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0950FC2083h 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56ECFE second address: 56ED08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56EE5A second address: 56EE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56EE5F second address: 56EE72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b jc 00007F0950EB8E46h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56EE72 second address: 56EE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56EE82 second address: 56EE8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56EE8A second address: 56EE8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56F151 second address: 56F15F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE0C second address: 56DE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 ja 00007F0950FC2076h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE1A second address: 56DE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE26 second address: 56DE2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE2A second address: 56DE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE32 second address: 56DE55 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0950FC208Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE55 second address: 56DE5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE5D second address: 56DE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 576DBA second address: 576DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 583A87 second address: 583A98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 583729 second address: 583790 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0950EB8E46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0950EB8E54h 0x00000011 jmp 00007F0950EB8E4Ch 0x00000016 popad 0x00000017 js 00007F0950EB8E8Fh 0x0000001d jg 00007F0950EB8E60h 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007F0950EB8E58h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0950EB8E52h 0x00000031 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596EF5 second address: 596F14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnl 00007F0950FC2076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0950FC207Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596F14 second address: 596F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596F18 second address: 596F38 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0950FC2076h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F0950FC207Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F0950FC2076h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596F38 second address: 596F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596F3C second address: 596F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596F46 second address: 596F55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59EBCC second address: 59EBFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2086h 0x00000007 jmp 00007F0950FC207Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D42D second address: 59D43F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F0950EB8E48h 0x0000000b push ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D6F8 second address: 59D72F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0950FC2088h 0x00000008 jmp 00007F0950FC2085h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D72F second address: 59D733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D901 second address: 59D922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F0950FC2076h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D922 second address: 59D932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D932 second address: 59D938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59DC30 second address: 59DC46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E50h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59DDE5 second address: 59DDEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5A67BE second address: 5A67C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5A67C2 second address: 5A67E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2086h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5A67E1 second address: 5A67F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E4Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5ADC22 second address: 5ADC36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5ADC36 second address: 5ADC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5ADABC second address: 5ADAC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B2270 second address: 5B2276 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B2144 second address: 5B2148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B2148 second address: 5B2157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 je 00007F0950EB8E46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B7A8A second address: 5B7A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B7A92 second address: 5B7A9C instructions: 0x00000000 rdtsc 0x00000002 js 00007F0950EB8E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B7A9C second address: 5B7AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F0950FC2078h 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F0950FC207Fh 0x00000013 popad 0x00000014 push esi 0x00000015 pushad 0x00000016 jmp 00007F0950FC2085h 0x0000001b push esi 0x0000001c pop esi 0x0000001d popad 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E0B02 second address: 5E0B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0950EB8E46h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0950EB8E55h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E0B24 second address: 5E0B41 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0950FC2076h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jmp 00007F0950FC207Ch 0x00000012 pop ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E0F80 second address: 5E0F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E10F4 second address: 5E10F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E1859 second address: 5E187E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0950EB8E48h 0x00000008 pushad 0x00000009 jmp 00007F0950EB8E58h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E187E second address: 5E1884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E1884 second address: 5E188A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E1A11 second address: 5E1A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E5D83 second address: 5E5D88 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E5D88 second address: 5E5D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F0950FC2076h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E636D second address: 5E6377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E6377 second address: 5E63E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b mov dword ptr [ebp+122D19F9h], ecx 0x00000011 call 00007F0950FC2087h 0x00000016 mov esi, dword ptr [ebp+122D20DFh] 0x0000001c pop edx 0x0000001d popad 0x0000001e push dword ptr [ebp+122D1B32h] 0x00000024 ja 00007F0950FC208Eh 0x0000002a call 00007F0950FC2086h 0x0000002f stc 0x00000030 pop edx 0x00000031 push E258888Fh 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F0950FC207Eh 0x0000003d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E7ABF second address: 5E7AD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F0950EB8E4Ch 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E7AD1 second address: 5E7AD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E7AD9 second address: 5E7AF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E57h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E9AEF second address: 5E9AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E9AF3 second address: 5E9B05 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F0950EB8E46h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80EBB second address: 4C80EC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80EC1 second address: 4C80EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950EB8E59h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80EDE second address: 4C80EFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80EFC second address: 4C80F0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80F0F second address: 4C80F1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C5008E second address: 4C50094 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50094 second address: 4C50166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, al 0x00000005 pushfd 0x00000006 jmp 00007F0950FC2089h 0x0000000b adc si, CBD6h 0x00000010 jmp 00007F0950FC2081h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d pop ebx 0x0000001e mov eax, 1EFC6255h 0x00000023 popad 0x00000024 pushfd 0x00000025 jmp 00007F0950FC2082h 0x0000002a or ax, F128h 0x0000002f jmp 00007F0950FC207Bh 0x00000034 popfd 0x00000035 popad 0x00000036 push eax 0x00000037 jmp 00007F0950FC2089h 0x0000003c xchg eax, ebp 0x0000003d pushad 0x0000003e push ecx 0x0000003f pushad 0x00000040 popad 0x00000041 pop edi 0x00000042 mov si, EC15h 0x00000046 popad 0x00000047 mov ebp, esp 0x00000049 jmp 00007F0950FC2080h 0x0000004e push dword ptr [ebp+04h] 0x00000051 jmp 00007F0950FC2080h 0x00000056 push dword ptr [ebp+0Ch] 0x00000059 jmp 00007F0950FC2080h 0x0000005e push dword ptr [ebp+08h] 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push edi 0x00000065 pop esi 0x00000066 mov ax, dx 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C708D6 second address: 4C708DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C708DA second address: 4C708E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70537 second address: 4C70578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0950EB8E56h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0950EB8E57h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C7042B second address: 4C70431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70431 second address: 4C70440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70440 second address: 4C70444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70444 second address: 4C70455 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70455 second address: 4C7045B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C701E6 second address: 4C701EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C701EC second address: 4C701F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70EC8 second address: 4C70EEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, bl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0950EB8E57h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70EEC second address: 4C70EF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70EF0 second address: 4C70EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70EF6 second address: 4C70EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70EFC second address: 4C70F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70F00 second address: 4C70F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CC0554 second address: 4CC0559 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CC0559 second address: 4CC056A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, cx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CC056A second address: 4CC0570 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CC0570 second address: 4CC05DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0950FC2086h 0x00000009 jmp 00007F0950FC2085h 0x0000000e popfd 0x0000000f mov ch, 0Ch 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 jmp 00007F0950FC207Ah 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F0950FC2080h 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0950FC2087h 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CC05DC second address: 4CC05E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C90327 second address: 4C90344 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C90344 second address: 4C903BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0950EB8E57h 0x00000008 movzx ecx, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and dword ptr [eax], 00000000h 0x00000011 pushad 0x00000012 push edi 0x00000013 push eax 0x00000014 pop edi 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F0950EB8E4Fh 0x0000001d sbb si, A17Eh 0x00000022 jmp 00007F0950EB8E59h 0x00000027 popfd 0x00000028 popad 0x00000029 popad 0x0000002a and dword ptr [eax+04h], 00000000h 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F0950EB8E58h 0x00000035 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70306 second address: 4C7030C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C7030C second address: 4C70312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70312 second address: 4C7034A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0950FC2087h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80DD2 second address: 4C80DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80DD6 second address: 4C80DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80DDC second address: 4C80E0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f call 00007F0950EB8E53h 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80E0F second address: 4C80E3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0950FC207Eh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80E3A second address: 4C80E70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0950EB8E56h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0950EB8E4Ah 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80E70 second address: 4C80E76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80E76 second address: 4C80E88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0950EB8E4Ch 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C900C6 second address: 4C900CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C900CA second address: 4C900D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C900D0 second address: 4C900FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0950FC2087h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C900FC second address: 4C90101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C90101 second address: 4C90141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c mov ax, B393h 0x00000010 pushfd 0x00000011 jmp 00007F0950FC2088h 0x00000016 add ah, 00000018h 0x00000019 jmp 00007F0950FC207Bh 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C90141 second address: 4C9015C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0676 second address: 4CB06FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 34C2h 0x00000007 pushfd 0x00000008 jmp 00007F0950FC2083h 0x0000000d add eax, 334A23BEh 0x00000013 jmp 00007F0950FC2089h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e mov edx, ecx 0x00000020 mov dh, ch 0x00000022 popad 0x00000023 push eax 0x00000024 jmp 00007F0950FC2082h 0x00000029 xchg eax, ebp 0x0000002a jmp 00007F0950FC2080h 0x0000002f mov ebp, esp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F0950FC2087h 0x00000038 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB06FA second address: 4CB0700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0700 second address: 4CB073A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F0950FC2086h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0950FC207Dh 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB073A second address: 4CB073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB073E second address: 4CB0744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0744 second address: 4CB074A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB074A second address: 4CB074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB074E second address: 4CB0775 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F0950EB8E57h 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0775 second address: 4CB080E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0950FC2082h 0x00000009 or esi, 5155BFC8h 0x0000000f jmp 00007F0950FC207Bh 0x00000014 popfd 0x00000015 movzx eax, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, dword ptr [76FA65FCh] 0x00000020 pushad 0x00000021 jmp 00007F0950FC2081h 0x00000026 pushfd 0x00000027 jmp 00007F0950FC2080h 0x0000002c and ch, 00000058h 0x0000002f jmp 00007F0950FC207Bh 0x00000034 popfd 0x00000035 popad 0x00000036 test eax, eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F0950FC207Bh 0x00000041 xor ch, 0000001Eh 0x00000044 jmp 00007F0950FC2089h 0x00000049 popfd 0x0000004a mov cx, 79E7h 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB080E second address: 4CB083B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F09C312BF96h 0x0000000e pushad 0x0000000f mov cl, 7Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 call 00007F0950EB8E59h 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB083B second address: 4CB083F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB083F second address: 4CB0878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ecx, eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0950EB8E56h 0x00000012 sub ax, 4ED8h 0x00000017 jmp 00007F0950EB8E4Bh 0x0000001c popfd 0x0000001d mov si, B18Fh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0878 second address: 4CB087F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 37h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB087F second address: 4CB08DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor eax, dword ptr [ebp+08h] 0x0000000a jmp 00007F0950EB8E59h 0x0000000f and ecx, 1Fh 0x00000012 pushad 0x00000013 movzx esi, dx 0x00000016 mov cl, bl 0x00000018 popad 0x00000019 ror eax, cl 0x0000001b jmp 00007F0950EB8E50h 0x00000020 leave 0x00000021 jmp 00007F0950EB8E50h 0x00000026 retn 0004h 0x00000029 nop 0x0000002a mov esi, eax 0x0000002c lea eax, dword ptr [ebp-08h] 0x0000002f xor esi, dword ptr [00342014h] 0x00000035 push eax 0x00000036 push eax 0x00000037 push eax 0x00000038 lea eax, dword ptr [ebp-10h] 0x0000003b push eax 0x0000003c call 00007F0955869728h 0x00000041 push FFFFFFFEh 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB08DA second address: 4CB08DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB08DE second address: 4CB08E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB08E4 second address: 4CB090B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0950FC207Ah 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB090B second address: 4CB091A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB091A second address: 4CB0992 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0950FC207Fh 0x00000008 mov bh, cl 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d ret 0x0000000e nop 0x0000000f push eax 0x00000010 call 00007F09559729B1h 0x00000015 mov edi, edi 0x00000017 pushad 0x00000018 jmp 00007F0950FC2081h 0x0000001d pushfd 0x0000001e jmp 00007F0950FC2080h 0x00000023 sub esi, 07973C48h 0x00000029 jmp 00007F0950FC207Bh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 pushad 0x00000032 mov bx, ax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushfd 0x00000038 jmp 00007F0950FC207Eh 0x0000003d and esi, 75067EA8h 0x00000043 jmp 00007F0950FC207Bh 0x00000048 popfd 0x00000049 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0992 second address: 4CB09A8 instructions: 0x00000000 rdtsc 0x00000002 mov cx, F19Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c mov ebx, ecx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 mov edx, 1E427F1Ch 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB09A8 second address: 4CB0A40 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0950FC2085h 0x00000008 sbb si, E976h 0x0000000d jmp 00007F0950FC2081h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F0950FC207Ch 0x0000001e add ax, 2698h 0x00000023 jmp 00007F0950FC207Bh 0x00000028 popfd 0x00000029 jmp 00007F0950FC2088h 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F0950FC207Dh 0x0000003a sub ah, FFFFFFE6h 0x0000003d jmp 00007F0950FC2081h 0x00000042 popfd 0x00000043 mov cx, 6D17h 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0A40 second address: 4CB0A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0A46 second address: 4CB0A4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60008 second address: 4C6000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6000E second address: 4C60014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60014 second address: 4C60018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60018 second address: 4C6001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6001C second address: 4C6002F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bx, E98Ah 0x00000010 mov bh, 14h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6002F second address: 4C60035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60035 second address: 4C60039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60039 second address: 4C6008B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F0950FC2080h 0x0000000f mov dh, ch 0x00000011 pop ebx 0x00000012 pushfd 0x00000013 jmp 00007F0950FC207Ch 0x00000018 sub ah, FFFFFFA8h 0x0000001b jmp 00007F0950FC207Bh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F0950FC2085h 0x0000002a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6008B second address: 4C60091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60091 second address: 4C60095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60095 second address: 4C60114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push edi 0x0000000c pushfd 0x0000000d jmp 00007F0950EB8E50h 0x00000012 sub al, 00000068h 0x00000015 jmp 00007F0950EB8E4Bh 0x0000001a popfd 0x0000001b pop esi 0x0000001c mov ecx, edx 0x0000001e popad 0x0000001f and esp, FFFFFFF8h 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F0950EB8E51h 0x00000029 and cx, 4486h 0x0000002e jmp 00007F0950EB8E51h 0x00000033 popfd 0x00000034 mov esi, 2EEFFA37h 0x00000039 popad 0x0000003a xchg eax, ecx 0x0000003b jmp 00007F0950EB8E4Ah 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F0950EB8E4Eh 0x00000048 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60114 second address: 4C6017E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0950FC2081h 0x00000008 pop eax 0x00000009 call 00007F0950FC2081h 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 xchg eax, ecx 0x00000013 jmp 00007F0950FC2087h 0x00000018 xchg eax, ebx 0x00000019 jmp 00007F0950FC2086h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F0950FC207Eh 0x00000026 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6017E second address: 4C601AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F0950EB8E56h 0x0000000f mov ebx, dword ptr [ebp+10h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ecx, edx 0x00000017 mov esi, ebx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C601AF second address: 4C601F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b jmp 00007F0950FC2088h 0x00000010 push eax 0x00000011 pushad 0x00000012 mov si, bx 0x00000015 mov ebx, 7D8BC180h 0x0000001a popad 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F0950FC2082h 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C601F2 second address: 4C601F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C601F8 second address: 4C601FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C601FC second address: 4C60221 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0950EB8E4Dh 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60221 second address: 4C60226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60226 second address: 4C6028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 mov edi, eax 0x0000000b pushfd 0x0000000c jmp 00007F0950EB8E4Eh 0x00000011 adc ecx, 561FB488h 0x00000017 jmp 00007F0950EB8E4Bh 0x0000001c popfd 0x0000001d popad 0x0000001e mov dword ptr [esp], edi 0x00000021 jmp 00007F0950EB8E56h 0x00000026 test esi, esi 0x00000028 pushad 0x00000029 mov cl, 4Ch 0x0000002b movsx ebx, cx 0x0000002e popad 0x0000002f je 00007F09C31771E6h 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F0950EB8E51h 0x0000003c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6028E second address: 4C60308 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007F0950FC207Eh 0x00000015 je 00007F09C32803E9h 0x0000001b jmp 00007F0950FC2080h 0x00000020 mov edx, dword ptr [esi+44h] 0x00000023 jmp 00007F0950FC2080h 0x00000028 or edx, dword ptr [ebp+0Ch] 0x0000002b jmp 00007F0950FC2080h 0x00000030 test edx, 61000000h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F0950FC207Ah 0x0000003f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60308 second address: 4C60317 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60317 second address: 4C6031D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6031D second address: 4C60321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60321 second address: 4C6033B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F09C32803D5h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0950FC207Ah 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6033B second address: 4C60341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60341 second address: 4C60345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60345 second address: 4C60349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60349 second address: 4C60380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [esi+48h], 00000001h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0950FC2082h 0x00000015 sub ch, 00000028h 0x00000018 jmp 00007F0950FC207Bh 0x0000001d popfd 0x0000001e mov ecx, 77E9AA1Fh 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60380 second address: 4C60386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C507A7 second address: 4C507B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950FC207Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C507B9 second address: 4C507CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0950EB8E4Ah 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C507CE second address: 4C50821 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov ax, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f mov cx, bx 0x00000012 mov eax, edx 0x00000014 popad 0x00000015 and esp, FFFFFFF8h 0x00000018 pushad 0x00000019 mov eax, edx 0x0000001b movsx ebx, cx 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 jmp 00007F0950FC207Ch 0x00000025 push eax 0x00000026 pushad 0x00000027 mov bx, C174h 0x0000002b mov si, dx 0x0000002e popad 0x0000002f xchg eax, ebx 0x00000030 jmp 00007F0950FC207Fh 0x00000035 xchg eax, esi 0x00000036 pushad 0x00000037 push esi 0x00000038 mov edi, 0F7E51E6h 0x0000003d pop edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50821 second address: 4C50833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 movsx edi, ax 0x0000000c mov ecx, 4EB507E9h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50833 second address: 4C50867 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, 7FA081F6h 0x00000012 jmp 00007F0950FC2087h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50867 second address: 4C5088C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C5088C second address: 4C508D7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0950FC2088h 0x00000008 sbb ecx, 253CCCA8h 0x0000000e jmp 00007F0950FC207Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ah, D7h 0x00000018 popad 0x00000019 mov ebx, 00000000h 0x0000001e pushad 0x0000001f mov cl, 3Dh 0x00000021 movsx edx, cx 0x00000024 popad 0x00000025 test esi, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov edx, 44C7A352h 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C508D7 second address: 4C50940 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F09C317E8E3h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F0950EB8E4Dh 0x00000018 jmp 00007F0950EB8E4Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F0950EB8E58h 0x00000024 adc ecx, 18779EF8h 0x0000002a jmp 00007F0950EB8E4Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50940 second address: 4C5099D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 jmp 00007F0950FC2080h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e cmp dword ptr [esi+08h], DDEEDDEEh 0x00000015 jmp 00007F0950FC2080h 0x0000001a mov ecx, esi 0x0000001c jmp 00007F0950FC2080h 0x00000021 je 00007F09C3287A97h 0x00000027 pushad 0x00000028 mov eax, ebx 0x0000002a popad 0x0000002b test byte ptr [76FA6968h], 00000002h 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 mov ch, FDh 0x00000037 mov di, 0F00h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C5099D second address: 4C509A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C509A5 second address: 4C509CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jne 00007F09C3287A80h 0x0000000d jmp 00007F0950FC207Dh 0x00000012 mov edx, dword ptr [ebp+0Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov edi, 0F1C52DEh 0x0000001d movsx ebx, si 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C509CE second address: 4C509D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C509D4 second address: 4C509D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C509D8 second address: 4C50A57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0950EB8E54h 0x00000013 xor ecx, 178C1208h 0x00000019 jmp 00007F0950EB8E4Bh 0x0000001e popfd 0x0000001f jmp 00007F0950EB8E58h 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007F0950EB8E4Bh 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F0950EB8E55h 0x00000033 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50B43 second address: 4C50BB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0950FC2087h 0x00000009 sub cx, 454Eh 0x0000000e jmp 00007F0950FC2089h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F0950FC2080h 0x0000001a xor si, 59C8h 0x0000001f jmp 00007F0950FC207Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 pop ebx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0950FC2082h 0x00000031 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50BB8 second address: 4C50BBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60C17 second address: 4C60CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0950FC207Ch 0x00000011 and eax, 383BC148h 0x00000017 jmp 00007F0950FC207Bh 0x0000001c popfd 0x0000001d mov edx, eax 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 push edi 0x00000023 mov bl, ch 0x00000025 pop ebx 0x00000026 pushfd 0x00000027 jmp 00007F0950FC2088h 0x0000002c xor ch, FFFFFFD8h 0x0000002f jmp 00007F0950FC207Bh 0x00000034 popfd 0x00000035 popad 0x00000036 xchg eax, ebp 0x00000037 pushad 0x00000038 call 00007F0950FC2084h 0x0000003d pushfd 0x0000003e jmp 00007F0950FC2082h 0x00000043 sbb cl, 00000068h 0x00000046 jmp 00007F0950FC207Bh 0x0000004b popfd 0x0000004c pop eax 0x0000004d mov dx, F0ACh 0x00000051 popad 0x00000052 mov ebp, esp 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60CC5 second address: 4C60CE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60CE1 second address: 4C60CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0AD3 second address: 4CE0B0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007F0950EB8E4Dh 0x0000000c jmp 00007F0950EB8E4Bh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F0950EB8E55h 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0B0E second address: 4CE0B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0950FC2081h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0950FC207Dh 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0B45 second address: 4CE0B62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0B62 second address: 4CE0B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0B75 second address: 4CE0B7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0EBA second address: 4CD0ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950FC207Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0ECC second address: 4CD0EDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0EDC second address: 4CD0EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0EE0 second address: 4CD0EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0EE6 second address: 4CD0F00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, 2D86h 0x00000011 mov dl, 9Ch 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0DB1 second address: 4CD0DB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60F1A second address: 4C60F1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60F1E second address: 4C60F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60F24 second address: 4C60F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950FC207Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60F37 second address: 4C60F90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov cx, bx 0x00000014 pushfd 0x00000015 jmp 00007F0950EB8E4Fh 0x0000001a sub eax, 0EDA67BEh 0x00000020 jmp 00007F0950EB8E59h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60F90 second address: 4C60FAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60FAD second address: 4C60FB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0366 second address: 4CE03DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0950FC2087h 0x00000009 and esi, 7BD17A8Eh 0x0000000f jmp 00007F0950FC2089h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F0950FC2080h 0x0000001b and ax, 8508h 0x00000020 jmp 00007F0950FC207Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0950FC2085h 0x00000031 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 3CF1D2 second address: 3CF1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 5501B4 second address: 5501C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 ja 00007F0950FC2076h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 54F63D second address: 54F645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 54F7DA second address: 54F7E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 54F7E0 second address: 54F7E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 54F7E6 second address: 54F7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC207Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 54FAC0 second address: 54FAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 551458 second address: 55146B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 55146B second address: 551482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950EB8E53h 0x00000009 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 551482 second address: 5514C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0950FC2089h 0x0000000e nop 0x0000000f jng 00007F0950FC2076h 0x00000015 push 00000000h 0x00000017 mov ecx, dword ptr [ebp+122D3925h] 0x0000001d mov dx, 5500h 0x00000021 push F761C4B2h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push esi 0x0000002a pop esi 0x0000002b push esi 0x0000002c pop esi 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 5514C4 second address: 55156A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0950EB8E4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 089E3BCEh 0x00000011 mov si, CE8Eh 0x00000015 push 00000003h 0x00000017 push 00000000h 0x00000019 cld 0x0000001a push 00000003h 0x0000001c jns 00007F0950EB8E62h 0x00000022 call 00007F0950EB8E49h 0x00000027 jmp 00007F0950EB8E4Fh 0x0000002c push eax 0x0000002d pushad 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 jmp 00007F0950EB8E4Ch 0x00000036 popad 0x00000037 pushad 0x00000038 jmp 00007F0950EB8E4Bh 0x0000003d pushad 0x0000003e popad 0x0000003f popad 0x00000040 popad 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 jl 00007F0950EB8E4Ah 0x0000004b push eax 0x0000004c pushad 0x0000004d popad 0x0000004e pop eax 0x0000004f mov eax, dword ptr [eax] 0x00000051 push edx 0x00000052 push eax 0x00000053 jg 00007F0950EB8E46h 0x00000059 pop eax 0x0000005a pop edx 0x0000005b mov dword ptr [esp+04h], eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jg 00007F0950EB8E46h 0x00000069 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 55156A second address: 551570 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 5516E1 second address: 5516E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Special instruction interceptor: First address: 34EC98 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Special instruction interceptor: First address: 34EBAB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Special instruction interceptor: First address: 4F0EA7 instructions caused by: Self-modifying code
Source: C:\Users\userGCAFCAFHJJ.exe	Special instruction interceptor: First address: 3CEA77 instructions caused by: Self-modifying code
Source: C:\Users\userGCAFCAFHJJ.exe	Special instruction interceptor: First address: 57A043 instructions caused by: Self-modifying code
Source: C:\Users\userGCAFCAFHJJ.exe	Special instruction interceptor: First address: 57A3DE instructions caused by: Self-modifying code
Source: C:\Users\userGCAFCAFHJJ.exe	Special instruction interceptor: First address: 578FCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: DBEC98 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: DBEBAB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: F60EA7 instructions caused by: Self-modifying code
Source: C:\Users\userGCAFCAFHJJ.exe	Special instruction interceptor: First address: 60287D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 2EEA77 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 49A043 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 49A3DE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 498FCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 52287D instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 14C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3160000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 5160000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe

Code function: 5_2_04CE0285 rdtsc

5_2_04CE0285

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 363
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Window / User API: threadDelayed 1187
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Window / User API: threadDelayed 851
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Window / User API: threadDelayed 1063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1633
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1624
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1419

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\buildred[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gawdth[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_cffi_backend.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_http_writer.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\pered[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2020[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\multidict\_multidict.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\yarl\_quoting_c.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000012001\2020.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\charset_normalizer\md__mypyc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_helpers.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_decimal.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\frozenlist\_frozenlist.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_websocket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\charset_normalizer\md.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_http_parser.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\25072023[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000005001\2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000010001\pered.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000014001\gawdth.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_socket.pyd	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 8.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7940	Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7940	Thread sleep time: -114057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7944	Thread sleep count: 50 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7944	Thread sleep time: -100050s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7892	Thread sleep count: 177 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7892	Thread sleep time: -5310000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7948	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7948	Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7924	Thread sleep count: 49 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7924	Thread sleep time: -98049s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7920	Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7920	Thread sleep time: -114057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7932	Thread sleep count: 47 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7932	Thread sleep time: -94047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7892	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8040	Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8040	Thread sleep time: -108054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8044	Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8044	Thread sleep time: -92046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7900	Thread sleep count: 363 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7900	Thread sleep time: -10890000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8016	Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8016	Thread sleep time: -92046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8024	Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8024	Thread sleep time: -92046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8148	Thread sleep time: -720000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8020	Thread sleep count: 45 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8020	Thread sleep time: -90045s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8032	Thread sleep count: 52 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8032	Thread sleep time: -104052s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7900	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7324	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7620	Thread sleep count: 36 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7620	Thread sleep time: -216000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5880	Thread sleep count: 1419 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5880	Thread sleep count: 100 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1268	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe

Thread sleep count: Count: 1187 delay: -10

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401160 GetSystemInfo,ExitProcess,

0_2_00401160

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3282714744.0000000001E4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Volume Shadow Copy Requestor
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: vmware
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V PowerShell Direct Service
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: stub.exe, 00000019.00000003.3016768492.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3014173409.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3002278553.000002606F473000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2988153464.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020050954.000002606F47E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3096155859.000002606F484000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Remote Desktop Virtualization Service
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SERVICE_NAME: vmicvss
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 342db65350.exe, 00000017.00000002.3265664089.0000000000326000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: RoamingIDBGHDGHCG.exe, 00000005.00000002.2246869524.00000000004C7000.00000040.00000001.01000000.00000009.sdmp, userGCAFCAFHJJ.exe, 00000008.00000002.2316247776.0000000000557000.00000040.00000001.01000000.0000000B.sdmp, explorti.exe, 00000009.00000002.2282977099.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000D.00000002.2288956274.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp, axplong.exe, 0000000F.00000002.2362284017.0000000000477000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000012.00000002.3265021970.0000000000477000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000013.00000002.3264864901.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2443375443.0000000002607000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.000000000154A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3270790823.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmtoolsd.exeuvmwaretray.exeuvmacthlp.exeuvboxtray.exeuvboxservice.exeuvmsrvc.exeuprl_tools.exeuxenservice.exeuAntiVM.CheckProcessT
Source: stub.exe, 00000019.00000003.3016768492.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3014173409.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3002278553.000002606F473000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2988153464.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020050954.000002606F47E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3096155859.000002606F484000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Time Synchronization Service
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: 97a671ae5d.exe, 00000014.00000002.2744921977.00000000025FD000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: stub.exe, 00000019.00000003.3016768492.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3014173409.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3002278553.000002606F473000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2988153464.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020050954.000002606F47E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3096155859.000002606F484000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Guest Shutdown Service
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmusrvc.exe
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: userGCAFCAFHJJ.exe, 00000008.00000003.2275354382.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmtoolsd.exe
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: xVBoxService.exe
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmwaretray.exe
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: stub.exe, 00000019.00000002.3098957207.000002606FD82000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3098891403.000002606FC92000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3282714744.0000000001E4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: VMWare
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvboxtray.exe
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: stub.exe, 00000019.00000002.3098957207.000002606FD82000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Administrators
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aqemu
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avirtualboxavmwareuAntiVM.CheckGpuadecoded_outputu<genexpr>uAntiVM.CheckGpu.<locals>.<genexpr>L
Source: stub.exe, 00000019.00000003.3025477729.000002606E70F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: stub.exe, 00000019.00000003.3016768492.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3014173409.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3002278553.000002606F473000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2988153464.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020050954.000002606F47E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3096155859.000002606F484000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Data Exchange Service
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: RoamingIDBGHDGHCG.exe, RoamingIDBGHDGHCG.exe, 00000005.00000002.2246869524.00000000004C7000.00000040.00000001.01000000.00000009.sdmp, userGCAFCAFHJJ.exe, userGCAFCAFHJJ.exe, 00000008.00000002.2316247776.0000000000557000.00000040.00000001.01000000.0000000B.sdmp, explorti.exe, explorti.exe, 00000009.00000002.2282977099.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000D.00000002.2288956274.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp, axplong.exe, 0000000F.00000002.2362284017.0000000000477000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000012.00000002.3265021970.0000000000477000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000013.00000002.3264864901.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvboxservice.exe
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uqemu-ga.exe
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmsrvc.exe
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cvmware
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SERVICE_NAME: vmicheartbeat
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Hyper-V (guest)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SERVICE_NAME: vmicshutdown
Source: 342db65350.exe, 00000017.00000002.3265664089.0000000000326000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.0000000000326000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\]
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: stub.exe, 00000019.00000002.3093364671.000002606F235000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020784420.000002606F235000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Heartbeat Service
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmwareuser.exe
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avmware
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: RoamingIDBGHDGHCG.exe, 00000005.00000002.2248551949.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: asandboxacuckooavmavirtualaqemuavboxaxenanodeuAntiVM.CheckHostNameT
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: stub.exe, 00000019.00000002.3093364671.000002606F235000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020784420.000002606F235000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Guest Service Interface
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: VBoxService.exe
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cVMware
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd2
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uwmic path Win32_ComputerSystem get ManufacturercVMwarecvmwareuAntiVM.CheckHypervisoraFakeErrorT

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe

Code function: 5_2_04CE0285 rdtsc

5_2_04CE0285

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041ACFA

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000

0_2_00404610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00419160 mov eax, dword ptr fs:[00000030h]

0_2_00419160

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Enables debug privileges

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C8D9 SetUnhandledExceptionFilter,	0_2_0041C8D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041ACFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041A718
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5DB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C5DB66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5DB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C5DB1F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C78AC62

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 97a671ae5d.exe PID: 7188, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1172008
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BE2008
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 434000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 534000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 673008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGCAFCAFHJJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGCAFCAFHJJ.exe "C:\Users\userGCAFCAFHJJ.exe"	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000001001\build.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe "C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe "C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe "C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe""
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Uses taskkill to terminate processes

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config"

Source: 342db65350.exe, 00000017.00000002.3262699829.0000000000182000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RoamingIDBGHDGHCG.exe, RoamingIDBGHDGHCG.exe, 00000005.00000002.2246869524.00000000004C7000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, explorti.exe, 00000009.00000002.2282977099.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000D.00000002.2288956274.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Program Manager
Source: userGCAFCAFHJJ.exe, userGCAFCAFHJJ.exe, 00000008.00000002.2316247776.0000000000557000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, 0000000F.00000002.2362284017.0000000000477000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000012.00000002.3265021970.0000000000477000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: *XProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C5DB341 cpuid

0_2_6C5DB341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00417630

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000010001\pered.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000010001\pered.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000012001\2020.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000012001\2020.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000014001\gawdth.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000014001\gawdth.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\multidict VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\multidict VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\multidict VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\nl VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ro VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ta VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\th VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_CN VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\hyphen-data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OriginTrials VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2023.8.1 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lo VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Segmentation Platform VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Segmentation Platform\SignalDB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ar VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\de VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\en-GB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\es VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\id VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\fr VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\de VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\es VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification\en-GB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification-shared\en-GB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification-shared\es VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification-shared\fr VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-checkout VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded\2023.9.25.0 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded\2023.9.25.0\_metadata VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Indexed Rules\36\10.34.0.50 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.50 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2023.9.4.1 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Logins.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Logins.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Web.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Web.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Cookies.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Cookies.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\HistoryData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\HistoryData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\DownloadData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\DownloadData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AutofillData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AutofillData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Games VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\screenshot.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\screenshot.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\process_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox\History.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Cookies.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\network_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Sessions VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Tokens VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Wallets VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\network_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\network_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\network_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\process_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\process_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\process_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\screenshot.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\screenshot.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\screenshot.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Cookies.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Cookies.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Cookies.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox\History.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox\History.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Wallets VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

0_2_00417420

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004172F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_004174D0

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 9.2.explorti.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.userGCAFCAFHJJ.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.axplong.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.explorti.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.axplong.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RoamingIDBGHDGHCG.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.explorti.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2288695597.0000000000D51000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2321675490.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2316104817.0000000000361000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2649838006.0000000005520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2362139356.0000000000281000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3262529236.0000000000D51000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2203716913.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2646169494.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225111532.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3262997504.0000000000281000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2248436376.0000000005540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2282786078.0000000000D51000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2242115500.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2245471234.00000000002E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY

Yara detected Monster Stealer

Source: Yara match	File source: 00000019.00000000.2782464290.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102011990.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stub.exe PID: 1524, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 33.2.crypted.exe.6fcbc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.crypted.exe.6fcbc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.crypted.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000002.2992462261.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2793593184.00000000006FC000.00000004.00000001.01000000.00000032.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2956394415.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\25072023[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\buildred[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000024.00000002.2850361286.00000000026EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.3029002681.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2443375443.0000000002607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 97a671ae5d.exe PID: 7188, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR

Detected generic credential text file

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\process_info.txt
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Cookies.txt
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox\History.txt
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\network_info.txt

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: passphrase.json
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16fons\AppData\Roaming\Binance\.finger-print.fp*pH
Source: file.exe	String found in binary or memory: Ethereum
Source: file.exe	String found in binary or memory: file__0.localstorage
Source: file.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe	String found in binary or memory: ltiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.js
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo

Gathers network related connection and port information

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\discord
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\discordcanary
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\discordptb

Yara detected Generic Python Stealer

Source: Yara match	File source: 00000019.00000000.2782464290.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102011990.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe, type: DROPPED

Yara detected Credential Stealer

Source: Yara match	File source: 00000023.00000002.2992462261.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.3029002681.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.2782464290.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3043239757.000002606E460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102011990.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stub.exe PID: 1524, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe, type: DROPPED

Remote Access Functionality

Yara detected Monster Stealer

Source: Yara match	File source: 00000019.00000000.2782464290.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102011990.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stub.exe PID: 1524, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 33.2.crypted.exe.6fcbc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.crypted.exe.6fcbc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.crypted.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000002.2992462261.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2793593184.00000000006FC000.00000004.00000001.01000000.00000032.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2956394415.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\25072023[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\buildred[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000024.00000002.2850361286.00000000026EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.3029002681.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2443375443.0000000002607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 97a671ae5d.exe PID: 7188, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR

Yara detected Generic Python Stealer

Source: Yara match	File source: 00000019.00000000.2782464290.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102011990.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790C40 sqlite3_bind_zeroblob,	0_2_6C790C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790D60 sqlite3_bind_parameter_name,	0_2_6C790D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B8EA0 sqlite3_clear_bindings,	0_2_6C6B8EA0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
85.28.47.31	unknown	Russian Federation	31643	GES-ASRU	false
185.215.113.19	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
20.52.165.210	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
20.189.173.22	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.189.173.21	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
208.95.112.1	unknown	United States	53334	TUT-ASUS	false
185.199.109.133	unknown	Netherlands	54113	FASTLYUS	false
20.42.73.29	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
103.28.36.182	unknown	Viet Nam	131353	NHANHOA-AS-VNNhanHoaSoftwarecompanyVN	false
89.248.174.171	unknown	Netherlands	202425	INT-NETWORKSC	false
85.28.47.70	unknown	Russian Federation	31643	GES-ASRU	true

Private

IP
127.0.0.1

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php0_	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/ows	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/ro2s	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Local	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/softokn3.dllAw	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php4z	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/stealc/random.exencodedcgN	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/25072023.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8fcf7b8c730804042ba5ce902415450#3.	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/buildred.exeL	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/gawdth.exelF~n#	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/5499d72b3i	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/msvcp140.dllR	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/fac00b58987e8fcf7b8c730804042ba5ce902415453	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/5447jsX.exed	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/5499d72b3a3e55be.php=U	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dllll	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/inc/crypted.exeo	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8fcf7b8c730804042ba5ce902415450#U.	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php32	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/gawdth.exe	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/pr	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/inc/pered.exe	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php17001	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpTemp	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\userGCAFCAFHJJ.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\crypteda[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1317026
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312596
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000002F.00000002.3029002681.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.70/744f169d372be841.php"}
Source: 33.2.crypted.exe.6fcbc0.1.unpack	Malware Configuration Extractor: RedLine {"C2 url": "20.52.165.210:39030", "Bot Id": "LiveTraffic", "Message": "error", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}
Source: axplong.exe.7888.18.memstrmin	Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.16/Jo89Ku7d/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\build[1].exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\buildred[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\crypteda[1].exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gawdth[1].exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2020[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\25072023[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\5447jsX[1].exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\crypted[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000012001\2020.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\1000014001\gawdth.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\userGCAFCAFHJJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\crypteda[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\build[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\pered[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00409BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00418940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0040C660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00407280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00409B10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C5B6C80

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 20.2.97a671ae5d.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 36.2.97a671ae5d.exe.400000.0.unpack

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2470169805.000000006C61D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDabX9_62_CURVEfieldIDcurvebaseordercofactorECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeyossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.2built on: Tue Jun 4 16:20:25 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-ndysxfi8\src\rust\target\release\deps\cryptography_rust.pdbo source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3111615192.00007FF8B61E5000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: stub.exe, 00000019.00000002.3112440354.00007FF8B7892000.00000002.00000001.01000000.0000002E.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: build.exe, 00000018.00000003.2773862520.00000207815C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python3.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042655656.000002606C7D0000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2470169805.000000006C61D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: stub.exe, 00000019.00000002.3120404184.00007FF8BA500000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python310.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: build.exe, 00000018.00000003.2773862520.00000207815C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3111615192.00007FF8B61E5000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3120731805.00007FF8BFAD1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3119029706.00007FF8B9F6D000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-ndysxfi8\src\rust\target\release\deps\cryptography_rust.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://85.28.47.70/744f169d372be841.php
Source: Malware configuration extractor	IPs: 185.215.113.16
Source: Malware configuration extractor	URLs: 20.52.165.210:39030

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 85.28.47.31 85.28.47.31
Source: Joe Sandbox View	IP Address: 185.215.113.19 185.215.113.19

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account"OO equals www.youtube.com (Youtube)
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account.NK equals www.youtube.com (Youtube)
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountMN equals www.youtube.com (Youtube)
Source: 342db65350.exe, 00000017.00000002.3285477229.00000000020B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountt% equals www.youtube.com (Youtube)
Source: 342db65350.exe, 00000017.00000002.3339226587.00000000064B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: x\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)

Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000012.00000002.3270683057.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php-
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php32
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php4z
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpG
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpTemp
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpahR=.
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpeZR
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/2020.exe
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/25072023.exe
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/25072023.exe2
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/5447jsX.exeN
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/5447jsX.exed
Source: axplong.exe, 00000012.00000002.3270683057.000000000150B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/build.exe
Source: axplong.exe, 00000012.00000002.3270683057.000000000150B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/build.exeYH
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/buildred.exe
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/buildred.exeL
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/crypted.exe
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/crypted.exeo
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/crypteda.exe
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/crypteda.exe?x
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/gawdth.exe
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/gawdth.exelF~n#
Source: axplong.exe, 00000012.00000002.3270683057.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/gawdth.exeu
Source: axplong.exe, 00000012.00000002.3285482105.0000000006320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/pered.exe
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe6Uf
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: file.exe, 00000000.00000002.2464131529.0000000028D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exe2
Source: explorti.exe, 00000013.00000002.3270790823.000000000186E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exe
Source: explorti.exe, 00000013.00000002.3270790823.000000000186E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exedgG
Source: explorti.exe, 00000013.00000002.3270790823.000000000186E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exencodedcgN
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exe
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exeB
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/6165
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Local
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3270790823.0000000001858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php.
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php0_
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php17001
Source: explorti.exe, 00000013.00000002.3270790823.000000000186E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php;
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpN
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpWe
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpf
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpn
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phptch
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpx
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php~
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8fcf7b8c730804042ba5ce902415450#3.
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8fcf7b8c730804042ba5ce902415450#U.
Source: explorti.exe, 00000013.00000002.3270790823.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/d
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/fac00b58987e8fcf7b8c730804042ba5ce902415453
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/ferences.SourceAumid1e/x
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/l
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/lfons
Source: explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/ows
Source: file.exe, 00000000.00000002.2441600215.000000000043C000.00000040.00000001.01000000.00000003.sdmp, 97a671ae5d.exe, 00000014.00000002.2744668224.00000000025EE000.00000004.00000020.00020000.00000000.sdmp, 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp, 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp, 97a671ae5d.exe, 00000014.00000002.2744968028.000000000264A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.000000000264A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php
Source: file.exe, 00000000.00000002.2464131529.0000000028D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php2
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php2L
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php8Rx
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php=U
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpGR
Source: file.exe, 00000000.00000002.2469209996.0000000035220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpQ
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpZL
Source: file.exe, 00000000.00000002.2441600215.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phposition:
Source: file.exe, 00000000.00000002.2469209996.0000000035220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpp
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.000000000264A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phps
Source: file.exe, 00000000.00000002.2469209996.0000000035220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3i
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll$3
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll
Source: file.exe, 00000000.00000002.2443375443.0000000002607000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dllR
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dllll
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dllAw
Source: file.exe, 00000000.00000002.2441600215.000000000046A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dll
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/SSC:
Source: file.exe, 00000000.00000002.2443375443.000000000263A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/pr
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.000000000264A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/ro2s
Source: file.exe, 00000000.00000002.2441600215.00000000005AD000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://85.28.47.315499d72b3a3e55be.phposition:
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31h
Source: 97a671ae5d.exe, 00000014.00000002.2744668224.00000000025EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31lN$KsW5
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3097971992.000002606F800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.aiohttp.org/en/stable/logging.html#format-specification
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.aiohttp.org/en/stable/logging.html#format-specificationauvloopaset_event_loop_policyaEve
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/jsonacityatimezoneaispaorgaasuMain.GetNetworkInfoT
Source: stub.exe, 00000019.00000003.3025477729.000002606E70F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000006DE000.00000040.00000001.01000000.00000011.sdmp, 342db65350.exe, 00000017.00000000.2736849521.000000000097E000.00000080.00000001.01000000.00000011.sdmp	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000006DE000.00000040.00000001.01000000.00000011.sdmp, 342db65350.exe, 00000017.00000000.2736849521.000000000097E000.00000080.00000001.01000000.00000011.sdmp	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000006DE000.00000040.00000001.01000000.00000011.sdmp, 342db65350.exe, 00000017.00000000.2736849521.000000000097E000.00000080.00000001.01000000.00000011.sdmp	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org:80
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3047040170.000002606E860000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3046738501.000002606E760000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: file.exe, file.exe, 00000000.00000002.2470169805.000000006C61D000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3046738501.000002606E760000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: file.exe, 00000000.00000002.2469773266.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.riotgames.com/api/account/v1/user
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.riotgames.com/api/account/v1/userT
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.reddit.com/api/access_token
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.reddit.com/api/access_tokenaaccess_tokenuandroid:com.example.myredditapp:v1.2.3uBea
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3091985685.000002606F17B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3018700794.000002606F17A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue37179
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/u.pngu.gifuunsupported
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coe.com.vn/
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coe.com.vn/tmp/2.exe
Source: axplong.exe, 00000012.00000002.3270683057.000000000154A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coe.com.vn/tmp/2.exe9rl
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coe.com.vn/tmp/2.exePw;.
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coe.com.vn/tmp/2.exefdm
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3098111936.000002606F920000.00000004.00001000.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3098111936.000002606F9FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v8/guilds/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v8/guilds/u/invitesainvitesuhttps://discord.gg/acodeuhttps://t.me/monster_fr
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v8/users/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-detection
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-detectionaDeprecationWarningD
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3091985685.000002606F17B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3018700794.000002606F17A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3025477729.000002606E70F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.7/library/asyncio-eventloop.html
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3096267679.000002606F4A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/ssl.html#ssl.OP_NO_COMPRESSION
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/ssl.html#ssl.OP_NO_COMPRESSIONaset_default_verify_pathsuSSL
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://economy.roblox.com/v1/users/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filepreviews.io/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3093364671.000002606F235000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020784420.000002606F235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3091985685.000002606F17B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3018700794.000002606F17A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aio-libs/aiohttp/discussions/6044
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1141)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1158)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1165)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1172)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1187)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1200)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1203)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/136
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/251
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/428
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3091985685.000002606F17B000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3018700794.000002606F17A000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3072092053.000002606ED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/pull/28073
Source: stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek).
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gql.twitch.tv/gql
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gql.twitch.tv/gqlT
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hynek.me/articles/import-attrs/)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/accounts/current_user/?edit=true
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/accounts/current_user/?edit=trueuhttps://i.instagram.com/api/v1/users
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/users/
Source: file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3092540180.000002606F1A1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3017617111.000002606F19E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oauth.reddit.com/api/v1/me
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oauth.reddit.com/api/v1/meuNo
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://open.spotify.com/user/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://open.spotify.com/user/u
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/attrs/)
Source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/justforMonster/injection/main/injection.js
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/justforMonster/injection/main/injection.jsanulluMain.GetInjectionC
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://restores.name/log
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://restores.name/logaYMOVKJ1WAP6PFLQqz
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
Source: stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/monster_free_cloud
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/monster_free_cloud----------------------
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thumbnails.roblox.com/v1/users/avatar?userIds=
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
Source: stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=referral&utm_campa
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/home
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.json
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.jsonareqadescriptionuThere
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/u
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.comarefereruhttps://twitter.com/homeusec-fetch-destaemptyusec-fetch-modeacorsusec-fe
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988&app_language=de-DE&ap
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/FilePreviews.svg
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/Tidelift.svg
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/Variomedia.svg
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/names.html)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html
Source: stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes).
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2464131529.0000000028D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: build.exe, 00000018.00000003.2773862520.00000207816BC000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2070352427.0000000002687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ibm.com/
Source: stub.exe, 00000019.00000002.3098252283.000002606FB38000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: stub.exe, 00000019.00000002.3097843536.000002606F6C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2441600215.000000000043C000.00000040.00000001.01000000.00000003.sdmp, stub.exe, 00000019.00000002.3096504690.000002606F620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2158189642.000000002EF53000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2441600215.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2158189642.000000002EF53000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2441600215.000000000043C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2158189642.000000002EF53000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2837202724.000002606F460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: build.exe, 00000018.00000003.2773862520.00000207816B1000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3092540180.000002606F1A1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3017617111.000002606F19E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0506/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/user/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/user/acomment_karmaatotal_karmaais_modais_goldais_suspendedaprofileUrlu
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.roblox.com/my/account/json
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.roblox.com/my/account/jsonuhttps://economy.roblox.com/v1/users/aresaUserIdu/currencyuhtt
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.spotify.com/api/account-settings/v1/profile
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.spotify.com/api/account-settings/v1/profileatextaloadsaprofileagenderabirthdateu
Source: stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok_web&ba
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.twitch.tv/
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.twitch.tv/adisplayNameahasPrimeaisPartneralanguageaprofileImageURLabitsBalanceatotalCoun
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042192631.000002606C756000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3023690982.000002606C72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.variomedia.de/
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account.NK
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountMN
Source: 342db65350.exe, 00000017.00000002.3285477229.00000000020B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountt%
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3048303310.000002606EA34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zopeinterface.readthedocs.io/en/latest/

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Installs a raw input device (often for capturing keystrokes)

Source: 342db65350.exe, 00000017.00000002.3285477229.00000000020B5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICESl 3

memstr_c710819a-7

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: 342db65350.exe PID: 5516, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000024.00000002.2850300180.00000000026D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000014.00000002.2744587061.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2443328439.00000000025ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2443697846.00000000040E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000024.00000002.2851004349.00000000040D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000014.00000002.2744921977.00000000025FD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Binary is likely a compiled AutoIt script file

Source: 342db65350.exe, 00000017.00000002.3262699829.0000000000182000.00000040.00000001.01000000.00000011.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_6e105682-5
Source: 342db65350.exe, 00000017.00000002.3262699829.0000000000182000.00000040.00000001.01000000.00000011.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_a06a6a42-c

PE file contains section with special chars

Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name:
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: .idata
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name:
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name:
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: .idata
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name:
Source: explorti.exe.5.dr	Static PE information: section name:
Source: explorti.exe.5.dr	Static PE information: section name: .idata
Source: explorti.exe.5.dr	Static PE information: section name:
Source: axplong.exe.8.dr	Static PE information: section name:
Source: axplong.exe.8.dr	Static PE information: section name: .idata
Source: axplong.exe.8.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C60B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C60B700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C60B8C0 rand_s,NtQueryVirtualMemory,	0_2_6C60B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C60B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C60B910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5AF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C5AF280

Creates files inside the system directory

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	File created: C:\Windows\Tasks\explorti.job			Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5A35A0	0_2_6C5A35A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B5440	0_2_6C5B5440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C61545C	0_2_6C61545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C61542B	0_2_6C61542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E5C10	0_2_6C5E5C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5F2C10	0_2_6C5F2C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C61AC00	0_2_6C61AC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5CD4D0	0_2_6C5CD4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B64C0	0_2_6C5B64C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E6CF0	0_2_6C5E6CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5AD4E0	0_2_6C5AD4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6034A0	0_2_6C6034A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C60C4A0	0_2_6C60C4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B6C80	0_2_6C5B6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5CED10	0_2_6C5CED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5D0512	0_2_6C5D0512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5BFD00	0_2_6C5BFD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E0DD0	0_2_6C5E0DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6085F0	0_2_6C6085F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C616E63	0_2_6C616E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5C9E50	0_2_6C5C9E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E3E50	0_2_6C5E3E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5F2E4E	0_2_6C5F2E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5C4640	0_2_6C5C4640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5AC670	0_2_6C5AC670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E7E10	0_2_6C5E7E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C609E30	0_2_6C609E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5F5600	0_2_6C5F5600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6176E3	0_2_6C6176E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5ABEF0	0_2_6C5ABEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5BFEF0	0_2_6C5BFEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C604EA0	0_2_6C604EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5C5E90	0_2_6C5C5E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C60E680	0_2_6C60E680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E7710	0_2_6C5E7710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B9F00	0_2_6C5B9F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5D6FF0	0_2_6C5D6FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5ADFE0	0_2_6C5ADFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5F77A0	0_2_6C5F77A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5C8850	0_2_6C5C8850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5CD850	0_2_6C5CD850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5EF070	0_2_6C5EF070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5B7810	0_2_6C5B7810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5EB820	0_2_6C5EB820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5F4820	0_2_6C5F4820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6150C7	0_2_6C6150C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5CC0E0	0_2_6C5CC0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E58E0	0_2_6C5E58E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5D60A0	0_2_6C5D60A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C61B170	0_2_6C61B170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5CA940	0_2_6C5CA940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5FB970	0_2_6C5FB970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5BD960	0_2_6C5BD960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E5190	0_2_6C5E5190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5DD9B0	0_2_6C5DD9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C602990	0_2_6C602990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5AC9A0	0_2_6C5AC9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E9A60	0_2_6C5E9A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5E8AC0	0_2_6C5E8AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5C1AF0	0_2_6C5C1AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5EE2F0	0_2_6C5EE2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C612AB0	0_2_6C612AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5BCAB0	0_2_6C5BCAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C61BA90	0_2_6C61BA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5A22A0	0_2_6C5A22A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5D4AA0	0_2_6C5D4AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5A5340	0_2_6C5A5340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5BC370	0_2_6C5BC370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5ED320	0_2_6C5ED320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6153C8	0_2_6C6153C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5AF380	0_2_6C5AF380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65AC60	0_2_6C65AC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72AC30	0_2_6C72AC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C716C00	0_2_6C716C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64ECC0	0_2_6C64ECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AECD0	0_2_6C6AECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71ED70	0_2_6C71ED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C77AD50	0_2_6C77AD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D8D20	0_2_6C7D8D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7DCDC0	0_2_6C7DCDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C654DB0	0_2_6C654DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E6D90	0_2_6C6E6D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6EEE70	0_2_6C6EEE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C730E20	0_2_6C730E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65AEC0	0_2_6C65AEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F0EC0	0_2_6C6F0EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D6E90	0_2_6C6D6E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C712F70	0_2_6C712F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BEF40	0_2_6C6BEF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790F20	0_2_6C790F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C656F10	0_2_6C656F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72EFF0	0_2_6C72EFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C650FE0	0_2_6C650FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C798FB0	0_2_6C798FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65EFB0	0_2_6C65EFB0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00404610 appears 316 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C5DCBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C5E94D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C7D09D0 appears 51 times

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 2260

PE file overlay found

Source: 2.exe.18.dr	Static PE information: Data appended to the last section found
Source: 2[1].exe.18.dr	Static PE information: Data appended to the last section found

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.1992970608.000000000244C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Source: file.exe, 00000000.00000002.2470654873.000000006C825000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2470246607.000000006C632000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2464131529.0000000028D8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs file.exe
Source: file.exe, 00000000.00000002.2464131529.0000000028D8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000024.00000002.2850300180.00000000026D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000014.00000002.2744587061.00000000025B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2443328439.00000000025ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2443697846.00000000040E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000024.00000002.2851004349.00000000040D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000014.00000002.2744921977.00000000025FD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: random[1].exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2[1].exe.18.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2.exe.18.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: random[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997705344945356
Source: random[1].exe.0.dr	Static PE information: Section: jnaccepv ZLIB complexity 0.9946529587866425
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997705344945356
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: Section: jnaccepv ZLIB complexity 0.9946529587866425
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973390667574932
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: Section: rkxzdssx ZLIB complexity 0.9944472371164731
Source: explorti.exe.5.dr	Static PE information: Section: ZLIB complexity 0.9997705344945356
Source: explorti.exe.5.dr	Static PE information: Section: jnaccepv ZLIB complexity 0.9946529587866425
Source: axplong.exe.8.dr	Static PE information: Section: ZLIB complexity 0.9973390667574932
Source: axplong.exe.8.dr	Static PE information: Section: rkxzdssx ZLIB complexity 0.9944472371164731
Source: crypteda[1].exe.18.dr	Static PE information: Section: .data ZLIB complexity 0.9957952789319011
Source: crypteda.exe.18.dr	Static PE information: Section: .data ZLIB complexity 0.9957952789319011

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@129/133@0/13

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C607030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C607030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\T3J5110P.htm

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7332
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7188
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Mutant created: \Sessions\1\BaseNamedObjects\M
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6456
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2443165283.00000000025DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT url FROM urls LIMIT 1000S$;
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.2083091335.00000000026C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069906964.0000000022C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082464293.0000000022CA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2456834295.000000001CBAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2469659271.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: RoamingIDBGHDGHCG.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: userGCAFCAFHJJ.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGCAFCAFHJJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGCAFCAFHJJ.exe "C:\Users\userGCAFCAFHJJ.exe"
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 2260
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\userGCAFCAFHJJ.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe "C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7188 -s 1040
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe "C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000001001\build.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe "C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe "C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe"
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7332 -s 1320
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGCAFCAFHJJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGCAFCAFHJJ.exe "C:\Users\userGCAFCAFHJJ.exe"	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000001001\build.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe "C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe "C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe "C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe""
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: python310.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: libffi-7.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: python3.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: libssl-1_1.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2470169805.000000006C61D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDabX9_62_CURVEfieldIDcurvebaseordercofactorECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeyossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.2built on: Tue Jun 4 16:20:25 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-ndysxfi8\src\rust\target\release\deps\cryptography_rust.pdbo source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3111615192.00007FF8B61E5000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: stub.exe, 00000019.00000002.3112440354.00007FF8B7892000.00000002.00000001.01000000.0000002E.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: build.exe, 00000018.00000003.2773862520.00000207815C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python3.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3042655656.000002606C7D0000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2470169805.000000006C61D000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: stub.exe, 00000019.00000002.3120404184.00007FF8BA500000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python310.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: build.exe, 00000018.00000003.2773862520.00000207815C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: build.exe, 00000018.00000003.2773862520.0000020781AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3111615192.00007FF8B61E5000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2470488363.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3120731805.00007FF8BFAD1000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3119029706.00007FF8B9F6D000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-ndysxfi8\src\rust\target\release\deps\cryptography_rust.pdb source: build.exe, 00000018.00000003.2773862520.0000020781E6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: build.exe, 00000018.00000003.2773862520.0000020781739000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.maduco:R;.gubogus:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Unpacked PE file: 5.2.RoamingIDBGHDGHCG.exe.2e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW;
Source: C:\Users\userGCAFCAFHJJ.exe	Unpacked PE file: 8.2.userGCAFCAFHJJ.exe.360000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 9.2.explorti.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 13.2.explorti.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 15.2.axplong.exe.280000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 18.2.axplong.exe.280000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkxzdssx:EW;opdalfsp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 19.2.explorti.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jnaccepv:EW;oirghrul:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 20.2.97a671ae5d.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.maduco:R;.gubogus:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Unpacked PE file: 23.2.342db65350.exe.c0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 36.2.97a671ae5d.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.maduco:R;.gubogus:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 20.2.97a671ae5d.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Unpacked PE file: 36.2.97a671ae5d.exe.400000.0.unpack

Binary contains a suspicious time stamp

Source: 25072023[1].exe.18.dr

Static PE information: 0xBD051842 [Sun Jun 29 00:35:14 2070 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: crypteda.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x168d60
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: real checksum: 0x1e2bee should be: 0x1e2634
Source: gawdth[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xe84a7
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: real checksum: 0x1d7fc2 should be: 0x1d1201
Source: axplong.exe.8.dr	Static PE information: real checksum: 0x1e2bee should be: 0x1e2634
Source: 2.exe.18.dr	Static PE information: real checksum: 0x483a7 should be: 0x30585
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x1d7fc2 should be: 0x1d1201
Source: 5447jsX[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x6c443
Source: 25072023.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x4f6f6
Source: explorti.exe.5.dr	Static PE information: real checksum: 0x1d7fc2 should be: 0x1d1201
Source: gawdth.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xe84a7
Source: buildred.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x56436
Source: crypted[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xf7aaf
Source: 25072023[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x4f6f6
Source: buildred[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x56436
Source: crypted.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xf7aaf
Source: 5447jsX.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x6c443
Source: 2[1].exe.18.dr	Static PE information: real checksum: 0x483a7 should be: 0x30585
Source: crypteda[1].exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x168d60

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: .maduco
Source: file.exe	Static PE information: section name: .gubogus
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: jnaccepv
Source: random[1].exe.0.dr	Static PE information: section name: oirghrul
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name:
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: .idata
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name:
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: jnaccepv
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: oirghrul
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: .taggant
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name:
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: .idata
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name:
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: rkxzdssx
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: opdalfsp
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe0.0.dr	Static PE information: section name: .maduco
Source: random[1].exe0.0.dr	Static PE information: section name: .gubogus
Source: explorti.exe.5.dr	Static PE information: section name:
Source: explorti.exe.5.dr	Static PE information: section name: .idata
Source: explorti.exe.5.dr	Static PE information: section name:
Source: explorti.exe.5.dr	Static PE information: section name: jnaccepv
Source: explorti.exe.5.dr	Static PE information: section name: oirghrul
Source: explorti.exe.5.dr	Static PE information: section name: .taggant
Source: axplong.exe.8.dr	Static PE information: section name:
Source: axplong.exe.8.dr	Static PE information: section name: .idata
Source: axplong.exe.8.dr	Static PE information: section name:
Source: axplong.exe.8.dr	Static PE information: section name: rkxzdssx
Source: axplong.exe.8.dr	Static PE information: section name: opdalfsp
Source: axplong.exe.8.dr	Static PE information: section name: .taggant
Source: crypteda[1].exe.18.dr	Static PE information: section name: .zzZ
Source: crypteda.exe.18.dr	Static PE information: section name: .zzZ
Source: 5447jsX[1].exe.18.dr	Static PE information: section name: .zzZ
Source: 5447jsX.exe.18.dr	Static PE information: section name: .zzZ
Source: 2[1].exe.18.dr	Static PE information: section name: .kic
Source: 2[1].exe.18.dr	Static PE information: section name: .yuh
Source: 2.exe.18.dr	Static PE information: section name: .kic
Source: 2.exe.18.dr	Static PE information: section name: .yuh
Source: pered[1].exe.18.dr	Static PE information: section name: _RDATA
Source: pered.exe.18.dr	Static PE information: section name: _RDATA
Source: gawdth[1].exe.18.dr	Static PE information: section name: .didat
Source: gawdth[1].exe.18.dr	Static PE information: section name: _RDATA
Source: gawdth.exe.18.dr	Static PE information: section name: .didat
Source: gawdth.exe.18.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A9F5 push ecx; ret		0_2_0041AA08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5DB536 push ecx; ret		0_2_6C5DB549

Source: file.exe	Static PE information: section name: .text entropy: 7.8226282857662985
Source: random[1].exe.0.dr	Static PE information: section name: entropy: 7.982538775715216
Source: random[1].exe.0.dr	Static PE information: section name: jnaccepv entropy: 7.9543392745735515
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: entropy: 7.982538775715216
Source: RoamingIDBGHDGHCG.exe.0.dr	Static PE information: section name: jnaccepv entropy: 7.9543392745735515
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: entropy: 7.984653502366883
Source: userGCAFCAFHJJ.exe.0.dr	Static PE information: section name: rkxzdssx entropy: 7.954277440139706
Source: random[1].exe0.0.dr	Static PE information: section name: .text entropy: 7.8226282857662985
Source: explorti.exe.5.dr	Static PE information: section name: entropy: 7.982538775715216
Source: explorti.exe.5.dr	Static PE information: section name: jnaccepv entropy: 7.9543392745735515
Source: axplong.exe.8.dr	Static PE information: section name: entropy: 7.984653502366883
Source: axplong.exe.8.dr	Static PE information: section name: rkxzdssx entropy: 7.954277440139706
Source: 2[1].exe.18.dr	Static PE information: section name: .text entropy: 7.772647603957998
Source: 2.exe.18.dr	Static PE information: section name: .text entropy: 7.772647603957998

Persistence and Installation Behavior

Uses attrib.exe to hide files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\buildred[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gawdth[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_cffi_backend.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_http_writer.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\crypteda[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\userGCAFCAFHJJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\pered[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2020[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\multidict\_multidict.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\yarl\_quoting_c.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\build[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000012001\2020.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\charset_normalizer\md__mypyc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_helpers.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\5447jsX[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_decimal.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\frozenlist\_frozenlist.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_websocket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\charset_normalizer\md.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_http_parser.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\25072023[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000005001\2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\crypted[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000010001\pered.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000014001\gawdth.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\userGCAFCAFHJJ.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_uuid.pyd	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 97a671ae5d.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 342db65350.exe

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass

Creates job files (autostart)

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 97a671ae5d.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 97a671ae5d.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 342db65350.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 342db65350.exe

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

High number of junk calls founds (likely related to sandbox DOS / API hammering)

Source: Global behavior

Junk call stats: NtWriteFile 1446916

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Description, ProviderName FROM Win32_LogicalDisk

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UFIDDLER.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: USBIEDLL.DLLUANTIVM.CHECKDLLT
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UXENSERVICE.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UWIRESHARK.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UOLLYDBG.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: USBIEDLL.DLL
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UVMTOOLSD.EXEUVMWARETRAY.EXEUVMACTHLP.EXEUVBOXTRAY.EXEUVBOXSERVICE.EXEUVMSRVC.EXEUPRL_TOOLS.EXEUXENSERVICE.EXEUANTIVM.CHECKPROCESST
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPROCESSHACKER.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UQEMU-GA.EXE
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UVMUSRVC.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 34EC2C second address: 34EC30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 34EC30 second address: 34EC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4BFEB3 second address: 4BFEB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4BFEB9 second address: 4BFEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E4Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4BFEC7 second address: 4BFECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C0014 second address: 4C001E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C001E second address: 4C002A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F0950FC2076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C002A second address: 4C0043 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F0950EB8E4Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C377D second address: 4C378A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C378A second address: 4C378F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3889 second address: 4C3895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3895 second address: 4C38F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jp 00007F0950EB8E4Eh 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007F0950EB8E54h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 jo 00007F0950EB8E5Ch 0x00000026 jmp 00007F0950EB8E56h 0x0000002b push eax 0x0000002c push edx 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C39C2 second address: 4C39C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3A36 second address: 4C3A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3A3A second address: 4C3A44 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0950FC2076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3A44 second address: 4C3A4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3A4A second address: 4C3A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3A4E second address: 4C3AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor dword ptr [ebp+122D19EFh], ecx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F0950EB8E48h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d movzx ecx, ax 0x00000030 call 00007F0950EB8E49h 0x00000035 push ebx 0x00000036 push esi 0x00000037 pushad 0x00000038 popad 0x00000039 pop esi 0x0000003a pop ebx 0x0000003b push eax 0x0000003c push ebx 0x0000003d jmp 00007F0950EB8E4Fh 0x00000042 pop ebx 0x00000043 mov eax, dword ptr [esp+04h] 0x00000047 jmp 00007F0950EB8E4Fh 0x0000004c mov eax, dword ptr [eax] 0x0000004e push eax 0x0000004f push edx 0x00000050 jno 00007F0950EB8E48h 0x00000056 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3AC1 second address: 4C3B84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F0950FC2089h 0x00000012 pop eax 0x00000013 sub dword ptr [ebp+122D1A41h], ebx 0x00000019 push 00000003h 0x0000001b mov ecx, dword ptr [ebp+122D39EAh] 0x00000021 push 00000000h 0x00000023 or dword ptr [ebp+122D1AF4h], eax 0x00000029 push 00000003h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F0950FC2078h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 call 00007F0950FC2079h 0x0000004a jmp 00007F0950FC207Eh 0x0000004f push eax 0x00000050 pushad 0x00000051 jg 00007F0950FC207Ch 0x00000057 jnc 00007F0950FC207Ch 0x0000005d popad 0x0000005e mov eax, dword ptr [esp+04h] 0x00000062 jmp 00007F0950FC2080h 0x00000067 mov eax, dword ptr [eax] 0x00000069 push eax 0x0000006a push edx 0x0000006b js 00007F0950FC2080h 0x00000071 jmp 00007F0950FC207Ah 0x00000076 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3B84 second address: 4C3B8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3B8A second address: 4C3B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3B8E second address: 4C3B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3B92 second address: 4C3BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push edx 0x0000000d jnc 00007F0950FC2078h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dword ptr [ebp+122D1BAEh], eax 0x0000001b lea ebx, dword ptr [ebp+124484F2h] 0x00000021 mov dword ptr [ebp+122D1A89h], eax 0x00000027 xchg eax, ebx 0x00000028 pushad 0x00000029 jmp 00007F0950FC2088h 0x0000002e jmp 00007F0950FC2088h 0x00000033 popad 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jns 00007F0950FC2078h 0x0000003d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C3BF9 second address: 4C3BFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4A0B second address: 4E4A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950FC2087h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4A26 second address: 4E4A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4A2A second address: 4E4A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2AF3 second address: 4E2AF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2AF8 second address: 4E2B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jo 00007F0950FC2076h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2B0C second address: 4E2B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0950EB8E46h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jl 00007F0950EB8E6Dh 0x00000013 jmp 00007F0950EB8E4Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a jng 00007F0950EB8E46h 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2C64 second address: 4E2C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2C69 second address: 4E2C93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E58h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2C93 second address: 4E2CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007F0950FC2076h 0x0000000e jg 00007F0950FC2076h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2F3D second address: 4E2F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2F41 second address: 4E2F78 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F0950FC2085h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F0950FC207Fh 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2F78 second address: 4E2F82 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2F82 second address: 4E2F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E2F88 second address: 4E2F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E37FB second address: 4E3801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E3AE7 second address: 4E3AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E3AED second address: 4E3B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2080h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E3B02 second address: 4E3B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E3B07 second address: 4E3B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E3B10 second address: 4E3B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B5778 second address: 4B5795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0950FC2081h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B5795 second address: 4B57BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0950EB8E50h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F0950EB8E4Fh 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B57BE second address: 4B57CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4336 second address: 4E4348 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F0950EB8E48h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4348 second address: 4E434E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4E4496 second address: 4E449A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B21F8 second address: 4B21FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4EFA44 second address: 4EFA48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4EFA48 second address: 4EFA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0950FC2085h 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4EFC20 second address: 4EFC24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4EFC24 second address: 4EFC2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4EFC2A second address: 4EFC2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0044 second address: 4F0070 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F0950FC208Eh 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007F0950FC2086h 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0070 second address: 4F0076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F01F4 second address: 4F0206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F0950FC2078h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0206 second address: 4F021C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0950EB8E4Eh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F021C second address: 4F0226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0950FC2076h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0226 second address: 4F022A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F247E second address: 4F24A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F0950FC2089h 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ebx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2632 second address: 4F263A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F263A second address: 4F263E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F263E second address: 4F264B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F264B second address: 4F264F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2AF9 second address: 4F2B0A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0950EB8E48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2B0A second address: 4F2B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2B10 second address: 4F2B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2C85 second address: 4F2CAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0950FC2080h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F31D1 second address: 4F31FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d mov edi, esi 0x0000000f mov edi, dword ptr [ebp+12447145h] 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0950EB8E4Fh 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F31FA second address: 4F320C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F33C8 second address: 4F33CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F4BA1 second address: 4F4BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F4BA5 second address: 4F4BD9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F0950EB8E57h 0x00000010 pop esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0950EB8E4Eh 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F4BD9 second address: 4F4BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F4BDF second address: 4F4BF5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0950EB8E4Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F525C second address: 4F5262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F5262 second address: 4F5267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F83FD second address: 4F8402 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F65D7 second address: 4F65DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F973F second address: 4F9743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F9743 second address: 4F9747 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4FA202 second address: 4FA206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4FACD6 second address: 4FACDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4FA206 second address: 4FA21B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4FB8D0 second address: 4FB8D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B8EB1 second address: 4B8EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4B8EB7 second address: 4B8EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50287C second address: 502881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 502881 second address: 50288B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0950EB8E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5036CC second address: 5036E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0950FC207Ah 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5029E2 second address: 5029E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5036E1 second address: 503748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call 00007F0950FC2086h 0x0000000f call 00007F0950FC207Bh 0x00000014 mov ebx, dword ptr [ebp+122D392Eh] 0x0000001a pop edi 0x0000001b pop edi 0x0000001c push 00000000h 0x0000001e add bx, 49E2h 0x00000023 push 00000000h 0x00000025 jmp 00007F0950FC2087h 0x0000002a push eax 0x0000002b push edi 0x0000002c jc 00007F0950FC207Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5029E6 second address: 5029EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50391A second address: 503920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 503920 second address: 503947 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F0950EB8E5Ch 0x00000011 jmp 00007F0950EB8E56h 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 504979 second address: 50497F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 505810 second address: 505814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50497F second address: 504984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50779B second address: 50779F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50779F second address: 50781E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0950FC2082h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov di, dx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F0950FC2078h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e xor dword ptr [ebp+122D1AEEh], edi 0x00000034 mov edi, dword ptr [ebp+122D39DAh] 0x0000003a push 00000000h 0x0000003c mov ebx, dword ptr [ebp+122D3902h] 0x00000042 jmp 00007F0950FC207Dh 0x00000047 xchg eax, esi 0x00000048 jmp 00007F0950FC2089h 0x0000004d push eax 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 509715 second address: 509732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E58h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 509732 second address: 509797 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F0950FC2083h 0x0000000f xor edi, 6C866231h 0x00000015 push 00000000h 0x00000017 mov ebx, edi 0x00000019 push 00000000h 0x0000001b mov bx, ax 0x0000001e xchg eax, esi 0x0000001f push edi 0x00000020 push edi 0x00000021 jmp 00007F0950FC207Bh 0x00000026 pop edi 0x00000027 pop edi 0x00000028 push eax 0x00000029 pushad 0x0000002a jnl 00007F0950FC208Dh 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 pop edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50890B second address: 508910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 508910 second address: 508932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0950FC2087h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 508932 second address: 50893D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F0950EB8E46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50A772 second address: 50A78B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F0950FC2076h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F0950FC207Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50A78B second address: 50A78F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5098F4 second address: 5098F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50A78F second address: 50A799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50A799 second address: 50A7EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jc 00007F0950FC207Bh 0x0000000f mov edi, 46575ED7h 0x00000014 push 00000000h 0x00000016 pushad 0x00000017 adc di, DC67h 0x0000001c jns 00007F0950FC2076h 0x00000022 popad 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007F0950FC2078h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f mov dword ptr [ebp+12448D69h], edi 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50A7EE second address: 50A7F8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50B5DB second address: 50B5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50B5DF second address: 50B5E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50B5E3 second address: 50B60F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007F0950FC2086h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 jo 00007F0950FC2080h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50D4D7 second address: 50D4DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50D4DB second address: 50D4E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50F5F9 second address: 50F607 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F0950EB8E46h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50F607 second address: 50F60B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 50E851 second address: 50E857 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5197C5 second address: 5197D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0950FC2076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5197D1 second address: 5197D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51993B second address: 519950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F0950FC2076h 0x0000000c popad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 519950 second address: 519956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 519956 second address: 519960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 519960 second address: 519964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 519C20 second address: 519C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FCB4 second address: 51FCB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FCB8 second address: 51FCBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FCBC second address: 51FCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jne 00007F0950EB8E54h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0950EB8E58h 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FCF7 second address: 51FD13 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0950FC2076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jmp 00007F0950FC207Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FE1A second address: 51FE1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FE1F second address: 51FE5E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0950FC207Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007F0950FC208Ch 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jbe 00007F0950FC2096h 0x0000001b push eax 0x0000001c push edx 0x0000001d je 00007F0950FC2076h 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FE5E second address: 51FE82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jnc 00007F0950EB8E46h 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 51FFFF second address: 520017 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jno 00007F0950FC2076h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F0950FC2076h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 520017 second address: 52001B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52001B second address: 52002E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52002E second address: 520064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0950EB8E56h 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 524FEE second address: 524FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5242D4 second address: 5242E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 ja 00007F0950EB8E4Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5242E3 second address: 5242ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5242ED second address: 5242F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5249C2 second address: 5249C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5249C8 second address: 5249FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 js 00007F0950EB8E46h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F0950EB8E4Eh 0x00000013 popad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007F0950EB8E46h 0x0000001d jmp 00007F0950EB8E4Fh 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5249FD second address: 524A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2085h 0x00000007 jmp 00007F0950FC2080h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 524A2A second address: 524A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52A95C second address: 52A965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52A965 second address: 52A981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E50h 0x00000007 jo 00007F0950EB8E4Eh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52A981 second address: 52A99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jmp 00007F0950FC2080h 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52A99D second address: 52A9A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AAFD second address: 52AB22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2087h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F0950FC207Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AB22 second address: 52AB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AB28 second address: 52AB3D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0950FC207Bh 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AB3D second address: 52AB41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AF54 second address: 52AF5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52AF5C second address: 52AF66 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0950EB8E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52B0C2 second address: 52B0F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 jmp 00007F0950FC207Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F0950FC2086h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52B0F8 second address: 52B10D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0950EB8E4Eh 0x00000008 push esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52B3A1 second address: 52B3A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52CE59 second address: 52CE78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0950EB8E52h 0x0000000d pop edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 52CE78 second address: 52CE98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2088h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 531776 second address: 531798 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0950EB8E4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0950EB8E4Eh 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 531798 second address: 5317A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F0950FC2076h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5317A2 second address: 5317A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5317A6 second address: 5317B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5317B1 second address: 5317F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E57h 0x00000009 jl 00007F0950EB8E46h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0950EB8E55h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5317F0 second address: 5317F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5317F4 second address: 531829 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Fh 0x00000007 jmp 00007F0950EB8E52h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F0950EB8E50h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 531829 second address: 531854 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0950FC207Eh 0x00000008 pushad 0x00000009 jl 00007F0950FC2076h 0x0000000f jnp 00007F0950FC2076h 0x00000015 jmp 00007F0950FC207Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53065B second address: 53065F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53065F second address: 53066B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53066B second address: 53066F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53066F second address: 530683 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F0950FC2076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F0950FC2076h 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 530683 second address: 530687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0D0B second address: 4F0D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0E03 second address: 4F0E28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F0950EB8E57h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0E28 second address: 4F0E2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F0F2C second address: 4F0F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F13CC second address: 34EC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, edx 0x0000000b push dword ptr [ebp+122D13D1h] 0x00000011 jmp 00007F0950FC2080h 0x00000016 call dword ptr [ebp+122D1BA9h] 0x0000001c pushad 0x0000001d pushad 0x0000001e cld 0x0000001f mov cx, dx 0x00000022 popad 0x00000023 xor eax, eax 0x00000025 jmp 00007F0950FC207Dh 0x0000002a mov edx, dword ptr [esp+28h] 0x0000002e cld 0x0000002f mov dword ptr [ebp+122D3936h], eax 0x00000035 add dword ptr [ebp+122D18E6h], edi 0x0000003b mov esi, 0000003Ch 0x00000040 mov dword ptr [ebp+122D1A41h], ebx 0x00000046 add esi, dword ptr [esp+24h] 0x0000004a jmp 00007F0950FC2085h 0x0000004f stc 0x00000050 lodsw 0x00000052 jmp 00007F0950FC2086h 0x00000057 add eax, dword ptr [esp+24h] 0x0000005b mov dword ptr [ebp+122D1A09h], ebx 0x00000061 mov ebx, dword ptr [esp+24h] 0x00000065 mov dword ptr [ebp+122D1962h], eax 0x0000006b nop 0x0000006c jmp 00007F0950FC2087h 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 jmp 00007F0950FC207Dh 0x0000007b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1542 second address: 4F1558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1558 second address: 4F155C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F15F0 second address: 4F15F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F15F6 second address: 4F1642 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0950FC2076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F0950FC2084h 0x00000012 xchg eax, esi 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F0950FC2078h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov di, F8E6h 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push edx 0x00000037 pop edx 0x00000038 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1642 second address: 4F164C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F176E second address: 4F1780 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1849 second address: 4F184D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F184D second address: 4F1869 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F195B second address: 4F1965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1939 second address: 4F195B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0950FC2089h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F1CAB second address: 4F1D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0950EB8E46h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F0950EB8E4Bh 0x00000013 jnc 00007F0950EB8E4Ch 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F0950EB8E48h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 and edi, 4A5FFD51h 0x0000003b push 0000001Eh 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F0950EB8E48h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 sbb dh, FFFFFFC2h 0x0000005a xor edx, 326207A1h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 pushad 0x00000065 popad 0x00000066 jnp 00007F0950EB8E46h 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2074 second address: 4F2078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F2078 second address: 4F20E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0950EB8E4Fh 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov edx, dword ptr [ebp+122D1AEEh] 0x00000018 lea eax, dword ptr [ebp+12475ACBh] 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F0950EB8E48h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 and edi, dword ptr [ebp+122D18FFh] 0x0000003e nop 0x0000003f pushad 0x00000040 jmp 00007F0950EB8E50h 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4F20E3 second address: 4DB328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jnp 00007F0950FC208Dh 0x0000000d nop 0x0000000e je 00007F0950FC2078h 0x00000014 mov dh, 48h 0x00000016 lea eax, dword ptr [ebp+12475A87h] 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007F0950FC2078h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 sub edx, dword ptr [ebp+122D3AE6h] 0x0000003c push eax 0x0000003d jnp 00007F0950FC207Ah 0x00000043 mov dword ptr [esp], eax 0x00000046 jnp 00007F0950FC207Ah 0x0000004c call dword ptr [ebp+12455757h] 0x00000052 js 00007F0950FC20A8h 0x00000058 push esi 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4DB328 second address: 4DB32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4DB32E second address: 4DB338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 530959 second address: 530966 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 530B03 second address: 530B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0950FC2076h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 530EE1 second address: 530EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0950EB8E46h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 530EEC second address: 530EF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 je 00007F0950FC2076h 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 531165 second address: 531170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0950EB8E46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5312EC second address: 5312F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 535A68 second address: 535A8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Fh 0x00000007 jmp 00007F0950EB8E50h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B8B7 second address: 53B8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B8BC second address: 53B8C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B8C2 second address: 53B8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4AD14F second address: 4AD160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0950EB8E4Bh 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A488 second address: 53A48E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A876 second address: 53A87A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A87A second address: 53A880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A880 second address: 53A886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A886 second address: 53A8A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2088h 0x00000007 jp 00007F0950FC2082h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A8A8 second address: 53A8AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53AB5D second address: 53AB63 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B114 second address: 53B11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B262 second address: 53B282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2089h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B6B0 second address: 53B6C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F0950EB8E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B6C0 second address: 53B6DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2089h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B6DD second address: 53B6E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push ecx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B6E8 second address: 53B6EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53B6EE second address: 53B6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 53A070 second address: 53A084 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 jo 00007F0950FC2082h 0x0000000c jc 00007F0950FC2076h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 541566 second address: 54156C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54156C second address: 541570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5416E4 second address: 5416E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5416E9 second address: 5416EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5416EF second address: 541712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E54h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F0950EB8E46h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54199E second address: 5419A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54585C second address: 545862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 545862 second address: 545866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 545866 second address: 545877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F0950EB8E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AD03 second address: 54AD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AD07 second address: 54AD19 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0950EB8E46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AFC2 second address: 54AFD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0950FC2076h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AFD3 second address: 54AFD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AFD7 second address: 54AFDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54AFDD second address: 54AFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jno 00007F0950EB8E46h 0x00000010 jmp 00007F0950EB8E51h 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54B51A second address: 54B522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54B522 second address: 54B530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jns 00007F0950EB8E46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54B530 second address: 54B562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2081h 0x00000009 popad 0x0000000a push ecx 0x0000000b jmp 00007F0950FC2089h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54B68B second address: 54B690 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54C00F second address: 54C020 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54FD8C second address: 54FD9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 54FD9A second address: 54FDB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950FC2089h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 550087 second address: 550095 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0950EB8E4Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 550095 second address: 55009F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55009F second address: 5500A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5500A8 second address: 5500C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5500C2 second address: 5500CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5500CC second address: 5500E4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0950FC2076h 0x00000008 jno 00007F0950FC2076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F0950FC2076h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 554499 second address: 5544B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0950EB8E50h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553D40 second address: 553D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0950FC2083h 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553ECA second address: 553ED6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0950EB8E46h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553ED6 second address: 553EEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F0950FC2076h 0x0000000b popad 0x0000000c je 00007F0950FC2082h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553EEA second address: 553EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553EF0 second address: 553F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0950FC207Eh 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 553F08 second address: 553F22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F0950EB8E52h 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55B1C2 second address: 55B1C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55B1C6 second address: 55B1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0950EB8E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jno 00007F0950EB8E46h 0x00000016 js 00007F0950EB8E46h 0x0000001c jmp 00007F0950EB8E58h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55C53A second address: 55C540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55C540 second address: 55C546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55CA9D second address: 55CAAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F0950FC2076h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55CAAB second address: 55CAD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F0950EB8E48h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55CAD5 second address: 55CAE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55CAE3 second address: 55CB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0950EB8E5Ch 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jg 00007F0950EB8E46h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 55CB12 second address: 55CB1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 561A53 second address: 561A8A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0950EB8E4Eh 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0950EB8E51h 0x00000015 push ebx 0x00000016 ja 00007F0950EB8E46h 0x0000001c jnp 00007F0950EB8E46h 0x00000022 pop ebx 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565BC6 second address: 565BE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2088h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565BE2 second address: 565BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F0950EB8E46h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F0950EB8E4Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565BFD second address: 565C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565C02 second address: 565C09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565C09 second address: 565C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565C14 second address: 565C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565C1A second address: 565C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565C1E second address: 565C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 564CDD second address: 564CEE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jne 00007F0950FC2076h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565171 second address: 5651AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007F0950EB8E58h 0x0000000f ja 00007F0950EB8E4Ch 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56562F second address: 565647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2084h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 565647 second address: 56564D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5658D1 second address: 5658D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5658D7 second address: 5658E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 570106 second address: 570123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F0950FC2076h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0950FC207Eh 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 570123 second address: 570136 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0950EB8E46h 0x00000008 jno 00007F0950EB8E46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 570136 second address: 57013C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56E283 second address: 56E2B4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0950EB8E4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jbe 00007F0950EB8E4Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0950EB8E50h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56E2B4 second address: 56E2BE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0950FC2076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56E9C1 second address: 56E9E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F0950EB8E4Ah 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56ECBB second address: 56ECDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2087h 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56ECDA second address: 56ECDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56ECDE second address: 56ECFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0950FC2083h 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56ECFE second address: 56ED08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0950EB8E46h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56EE5A second address: 56EE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56EE5F second address: 56EE72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b jc 00007F0950EB8E46h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56EE72 second address: 56EE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56EE82 second address: 56EE8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56EE8A second address: 56EE8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56F151 second address: 56F15F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE0C second address: 56DE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 ja 00007F0950FC2076h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE1A second address: 56DE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE26 second address: 56DE2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE2A second address: 56DE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE32 second address: 56DE55 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0950FC208Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE55 second address: 56DE5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 56DE5D second address: 56DE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 576DBA second address: 576DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 583A87 second address: 583A98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 583729 second address: 583790 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0950EB8E46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0950EB8E54h 0x00000011 jmp 00007F0950EB8E4Ch 0x00000016 popad 0x00000017 js 00007F0950EB8E8Fh 0x0000001d jg 00007F0950EB8E60h 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007F0950EB8E58h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0950EB8E52h 0x00000031 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596EF5 second address: 596F14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnl 00007F0950FC2076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0950FC207Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596F14 second address: 596F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596F18 second address: 596F38 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0950FC2076h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F0950FC207Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F0950FC2076h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596F38 second address: 596F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596F3C second address: 596F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 596F46 second address: 596F55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59EBCC second address: 59EBFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2086h 0x00000007 jmp 00007F0950FC207Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D42D second address: 59D43F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F0950EB8E48h 0x0000000b push ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D6F8 second address: 59D72F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0950FC2088h 0x00000008 jmp 00007F0950FC2085h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D72F second address: 59D733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D901 second address: 59D922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F0950FC2076h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D922 second address: 59D932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59D932 second address: 59D938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59DC30 second address: 59DC46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E50h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 59DDE5 second address: 59DDEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5A67BE second address: 5A67C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5A67C2 second address: 5A67E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC2086h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5A67E1 second address: 5A67F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950EB8E4Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5ADC22 second address: 5ADC36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5ADC36 second address: 5ADC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5ADABC second address: 5ADAC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B2270 second address: 5B2276 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B2144 second address: 5B2148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B2148 second address: 5B2157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 je 00007F0950EB8E46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B7A8A second address: 5B7A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B7A92 second address: 5B7A9C instructions: 0x00000000 rdtsc 0x00000002 js 00007F0950EB8E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5B7A9C second address: 5B7AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F0950FC2078h 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F0950FC207Fh 0x00000013 popad 0x00000014 push esi 0x00000015 pushad 0x00000016 jmp 00007F0950FC2085h 0x0000001b push esi 0x0000001c pop esi 0x0000001d popad 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E0B02 second address: 5E0B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0950EB8E46h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0950EB8E55h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E0B24 second address: 5E0B41 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0950FC2076h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jmp 00007F0950FC207Ch 0x00000012 pop ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E0F80 second address: 5E0F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E10F4 second address: 5E10F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E1859 second address: 5E187E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0950EB8E48h 0x00000008 pushad 0x00000009 jmp 00007F0950EB8E58h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E187E second address: 5E1884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E1884 second address: 5E188A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E1A11 second address: 5E1A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E5D83 second address: 5E5D88 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E5D88 second address: 5E5D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F0950FC2076h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E636D second address: 5E6377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E6377 second address: 5E63E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b mov dword ptr [ebp+122D19F9h], ecx 0x00000011 call 00007F0950FC2087h 0x00000016 mov esi, dword ptr [ebp+122D20DFh] 0x0000001c pop edx 0x0000001d popad 0x0000001e push dword ptr [ebp+122D1B32h] 0x00000024 ja 00007F0950FC208Eh 0x0000002a call 00007F0950FC2086h 0x0000002f stc 0x00000030 pop edx 0x00000031 push E258888Fh 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F0950FC207Eh 0x0000003d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E7ABF second address: 5E7AD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F0950EB8E4Ch 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E7AD1 second address: 5E7AD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E7AD9 second address: 5E7AF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E57h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E9AEF second address: 5E9AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 5E9AF3 second address: 5E9B05 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0950EB8E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F0950EB8E46h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80EBB second address: 4C80EC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80EC1 second address: 4C80EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950EB8E59h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80EDE second address: 4C80EFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80EFC second address: 4C80F0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80F0F second address: 4C80F1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C5008E second address: 4C50094 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50094 second address: 4C50166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, al 0x00000005 pushfd 0x00000006 jmp 00007F0950FC2089h 0x0000000b adc si, CBD6h 0x00000010 jmp 00007F0950FC2081h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d pop ebx 0x0000001e mov eax, 1EFC6255h 0x00000023 popad 0x00000024 pushfd 0x00000025 jmp 00007F0950FC2082h 0x0000002a or ax, F128h 0x0000002f jmp 00007F0950FC207Bh 0x00000034 popfd 0x00000035 popad 0x00000036 push eax 0x00000037 jmp 00007F0950FC2089h 0x0000003c xchg eax, ebp 0x0000003d pushad 0x0000003e push ecx 0x0000003f pushad 0x00000040 popad 0x00000041 pop edi 0x00000042 mov si, EC15h 0x00000046 popad 0x00000047 mov ebp, esp 0x00000049 jmp 00007F0950FC2080h 0x0000004e push dword ptr [ebp+04h] 0x00000051 jmp 00007F0950FC2080h 0x00000056 push dword ptr [ebp+0Ch] 0x00000059 jmp 00007F0950FC2080h 0x0000005e push dword ptr [ebp+08h] 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push edi 0x00000065 pop esi 0x00000066 mov ax, dx 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C708D6 second address: 4C708DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C708DA second address: 4C708E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70537 second address: 4C70578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0950EB8E56h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0950EB8E57h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C7042B second address: 4C70431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70431 second address: 4C70440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70440 second address: 4C70444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70444 second address: 4C70455 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70455 second address: 4C7045B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C701E6 second address: 4C701EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C701EC second address: 4C701F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70EC8 second address: 4C70EEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, bl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0950EB8E57h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70EEC second address: 4C70EF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70EF0 second address: 4C70EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70EF6 second address: 4C70EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70EFC second address: 4C70F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70F00 second address: 4C70F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CC0554 second address: 4CC0559 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CC0559 second address: 4CC056A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, cx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CC056A second address: 4CC0570 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CC0570 second address: 4CC05DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0950FC2086h 0x00000009 jmp 00007F0950FC2085h 0x0000000e popfd 0x0000000f mov ch, 0Ch 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 jmp 00007F0950FC207Ah 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F0950FC2080h 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0950FC2087h 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CC05DC second address: 4CC05E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C90327 second address: 4C90344 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C90344 second address: 4C903BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0950EB8E57h 0x00000008 movzx ecx, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and dword ptr [eax], 00000000h 0x00000011 pushad 0x00000012 push edi 0x00000013 push eax 0x00000014 pop edi 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F0950EB8E4Fh 0x0000001d sbb si, A17Eh 0x00000022 jmp 00007F0950EB8E59h 0x00000027 popfd 0x00000028 popad 0x00000029 popad 0x0000002a and dword ptr [eax+04h], 00000000h 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F0950EB8E58h 0x00000035 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70306 second address: 4C7030C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C7030C second address: 4C70312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C70312 second address: 4C7034A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0950FC2087h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80DD2 second address: 4C80DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80DD6 second address: 4C80DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80DDC second address: 4C80E0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f call 00007F0950EB8E53h 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80E0F second address: 4C80E3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0950FC207Eh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80E3A second address: 4C80E70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0950EB8E56h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0950EB8E4Ah 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80E70 second address: 4C80E76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C80E76 second address: 4C80E88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0950EB8E4Ch 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C900C6 second address: 4C900CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C900CA second address: 4C900D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C900D0 second address: 4C900FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0950FC2087h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C900FC second address: 4C90101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C90101 second address: 4C90141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c mov ax, B393h 0x00000010 pushfd 0x00000011 jmp 00007F0950FC2088h 0x00000016 add ah, 00000018h 0x00000019 jmp 00007F0950FC207Bh 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C90141 second address: 4C9015C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0676 second address: 4CB06FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 34C2h 0x00000007 pushfd 0x00000008 jmp 00007F0950FC2083h 0x0000000d add eax, 334A23BEh 0x00000013 jmp 00007F0950FC2089h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e mov edx, ecx 0x00000020 mov dh, ch 0x00000022 popad 0x00000023 push eax 0x00000024 jmp 00007F0950FC2082h 0x00000029 xchg eax, ebp 0x0000002a jmp 00007F0950FC2080h 0x0000002f mov ebp, esp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F0950FC2087h 0x00000038 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB06FA second address: 4CB0700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0700 second address: 4CB073A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F0950FC2086h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0950FC207Dh 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB073A second address: 4CB073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB073E second address: 4CB0744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0744 second address: 4CB074A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB074A second address: 4CB074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB074E second address: 4CB0775 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F0950EB8E57h 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0775 second address: 4CB080E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0950FC2082h 0x00000009 or esi, 5155BFC8h 0x0000000f jmp 00007F0950FC207Bh 0x00000014 popfd 0x00000015 movzx eax, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, dword ptr [76FA65FCh] 0x00000020 pushad 0x00000021 jmp 00007F0950FC2081h 0x00000026 pushfd 0x00000027 jmp 00007F0950FC2080h 0x0000002c and ch, 00000058h 0x0000002f jmp 00007F0950FC207Bh 0x00000034 popfd 0x00000035 popad 0x00000036 test eax, eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F0950FC207Bh 0x00000041 xor ch, 0000001Eh 0x00000044 jmp 00007F0950FC2089h 0x00000049 popfd 0x0000004a mov cx, 79E7h 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB080E second address: 4CB083B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F09C312BF96h 0x0000000e pushad 0x0000000f mov cl, 7Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 call 00007F0950EB8E59h 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB083B second address: 4CB083F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB083F second address: 4CB0878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ecx, eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0950EB8E56h 0x00000012 sub ax, 4ED8h 0x00000017 jmp 00007F0950EB8E4Bh 0x0000001c popfd 0x0000001d mov si, B18Fh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0878 second address: 4CB087F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 37h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB087F second address: 4CB08DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor eax, dword ptr [ebp+08h] 0x0000000a jmp 00007F0950EB8E59h 0x0000000f and ecx, 1Fh 0x00000012 pushad 0x00000013 movzx esi, dx 0x00000016 mov cl, bl 0x00000018 popad 0x00000019 ror eax, cl 0x0000001b jmp 00007F0950EB8E50h 0x00000020 leave 0x00000021 jmp 00007F0950EB8E50h 0x00000026 retn 0004h 0x00000029 nop 0x0000002a mov esi, eax 0x0000002c lea eax, dword ptr [ebp-08h] 0x0000002f xor esi, dword ptr [00342014h] 0x00000035 push eax 0x00000036 push eax 0x00000037 push eax 0x00000038 lea eax, dword ptr [ebp-10h] 0x0000003b push eax 0x0000003c call 00007F0955869728h 0x00000041 push FFFFFFFEh 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB08DA second address: 4CB08DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB08DE second address: 4CB08E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB08E4 second address: 4CB090B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0950FC207Ah 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB090B second address: 4CB091A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB091A second address: 4CB0992 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0950FC207Fh 0x00000008 mov bh, cl 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d ret 0x0000000e nop 0x0000000f push eax 0x00000010 call 00007F09559729B1h 0x00000015 mov edi, edi 0x00000017 pushad 0x00000018 jmp 00007F0950FC2081h 0x0000001d pushfd 0x0000001e jmp 00007F0950FC2080h 0x00000023 sub esi, 07973C48h 0x00000029 jmp 00007F0950FC207Bh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 pushad 0x00000032 mov bx, ax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushfd 0x00000038 jmp 00007F0950FC207Eh 0x0000003d and esi, 75067EA8h 0x00000043 jmp 00007F0950FC207Bh 0x00000048 popfd 0x00000049 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0992 second address: 4CB09A8 instructions: 0x00000000 rdtsc 0x00000002 mov cx, F19Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c mov ebx, ecx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 mov edx, 1E427F1Ch 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB09A8 second address: 4CB0A40 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0950FC2085h 0x00000008 sbb si, E976h 0x0000000d jmp 00007F0950FC2081h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F0950FC207Ch 0x0000001e add ax, 2698h 0x00000023 jmp 00007F0950FC207Bh 0x00000028 popfd 0x00000029 jmp 00007F0950FC2088h 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F0950FC207Dh 0x0000003a sub ah, FFFFFFE6h 0x0000003d jmp 00007F0950FC2081h 0x00000042 popfd 0x00000043 mov cx, 6D17h 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0A40 second address: 4CB0A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CB0A46 second address: 4CB0A4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60008 second address: 4C6000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6000E second address: 4C60014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60014 second address: 4C60018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60018 second address: 4C6001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6001C second address: 4C6002F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bx, E98Ah 0x00000010 mov bh, 14h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6002F second address: 4C60035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60035 second address: 4C60039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60039 second address: 4C6008B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F0950FC2080h 0x0000000f mov dh, ch 0x00000011 pop ebx 0x00000012 pushfd 0x00000013 jmp 00007F0950FC207Ch 0x00000018 sub ah, FFFFFFA8h 0x0000001b jmp 00007F0950FC207Bh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F0950FC2085h 0x0000002a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6008B second address: 4C60091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60091 second address: 4C60095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60095 second address: 4C60114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push edi 0x0000000c pushfd 0x0000000d jmp 00007F0950EB8E50h 0x00000012 sub al, 00000068h 0x00000015 jmp 00007F0950EB8E4Bh 0x0000001a popfd 0x0000001b pop esi 0x0000001c mov ecx, edx 0x0000001e popad 0x0000001f and esp, FFFFFFF8h 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F0950EB8E51h 0x00000029 and cx, 4486h 0x0000002e jmp 00007F0950EB8E51h 0x00000033 popfd 0x00000034 mov esi, 2EEFFA37h 0x00000039 popad 0x0000003a xchg eax, ecx 0x0000003b jmp 00007F0950EB8E4Ah 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F0950EB8E4Eh 0x00000048 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60114 second address: 4C6017E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0950FC2081h 0x00000008 pop eax 0x00000009 call 00007F0950FC2081h 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 xchg eax, ecx 0x00000013 jmp 00007F0950FC2087h 0x00000018 xchg eax, ebx 0x00000019 jmp 00007F0950FC2086h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F0950FC207Eh 0x00000026 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6017E second address: 4C601AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F0950EB8E56h 0x0000000f mov ebx, dword ptr [ebp+10h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ecx, edx 0x00000017 mov esi, ebx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C601AF second address: 4C601F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b jmp 00007F0950FC2088h 0x00000010 push eax 0x00000011 pushad 0x00000012 mov si, bx 0x00000015 mov ebx, 7D8BC180h 0x0000001a popad 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F0950FC2082h 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C601F2 second address: 4C601F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C601F8 second address: 4C601FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C601FC second address: 4C60221 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0950EB8E4Dh 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60221 second address: 4C60226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60226 second address: 4C6028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 mov edi, eax 0x0000000b pushfd 0x0000000c jmp 00007F0950EB8E4Eh 0x00000011 adc ecx, 561FB488h 0x00000017 jmp 00007F0950EB8E4Bh 0x0000001c popfd 0x0000001d popad 0x0000001e mov dword ptr [esp], edi 0x00000021 jmp 00007F0950EB8E56h 0x00000026 test esi, esi 0x00000028 pushad 0x00000029 mov cl, 4Ch 0x0000002b movsx ebx, cx 0x0000002e popad 0x0000002f je 00007F09C31771E6h 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F0950EB8E51h 0x0000003c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6028E second address: 4C60308 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007F0950FC207Eh 0x00000015 je 00007F09C32803E9h 0x0000001b jmp 00007F0950FC2080h 0x00000020 mov edx, dword ptr [esi+44h] 0x00000023 jmp 00007F0950FC2080h 0x00000028 or edx, dword ptr [ebp+0Ch] 0x0000002b jmp 00007F0950FC2080h 0x00000030 test edx, 61000000h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F0950FC207Ah 0x0000003f rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60308 second address: 4C60317 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60317 second address: 4C6031D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6031D second address: 4C60321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60321 second address: 4C6033B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F09C32803D5h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0950FC207Ah 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C6033B second address: 4C60341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60341 second address: 4C60345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60345 second address: 4C60349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60349 second address: 4C60380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [esi+48h], 00000001h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0950FC2082h 0x00000015 sub ch, 00000028h 0x00000018 jmp 00007F0950FC207Bh 0x0000001d popfd 0x0000001e mov ecx, 77E9AA1Fh 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60380 second address: 4C60386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C507A7 second address: 4C507B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950FC207Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C507B9 second address: 4C507CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0950EB8E4Ah 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C507CE second address: 4C50821 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov ax, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f mov cx, bx 0x00000012 mov eax, edx 0x00000014 popad 0x00000015 and esp, FFFFFFF8h 0x00000018 pushad 0x00000019 mov eax, edx 0x0000001b movsx ebx, cx 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 jmp 00007F0950FC207Ch 0x00000025 push eax 0x00000026 pushad 0x00000027 mov bx, C174h 0x0000002b mov si, dx 0x0000002e popad 0x0000002f xchg eax, ebx 0x00000030 jmp 00007F0950FC207Fh 0x00000035 xchg eax, esi 0x00000036 pushad 0x00000037 push esi 0x00000038 mov edi, 0F7E51E6h 0x0000003d pop edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50821 second address: 4C50833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 movsx edi, ax 0x0000000c mov ecx, 4EB507E9h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50833 second address: 4C50867 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, 7FA081F6h 0x00000012 jmp 00007F0950FC2087h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50867 second address: 4C5088C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C5088C second address: 4C508D7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0950FC2088h 0x00000008 sbb ecx, 253CCCA8h 0x0000000e jmp 00007F0950FC207Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ah, D7h 0x00000018 popad 0x00000019 mov ebx, 00000000h 0x0000001e pushad 0x0000001f mov cl, 3Dh 0x00000021 movsx edx, cx 0x00000024 popad 0x00000025 test esi, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov edx, 44C7A352h 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C508D7 second address: 4C50940 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F09C317E8E3h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F0950EB8E4Dh 0x00000018 jmp 00007F0950EB8E4Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F0950EB8E58h 0x00000024 adc ecx, 18779EF8h 0x0000002a jmp 00007F0950EB8E4Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50940 second address: 4C5099D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 jmp 00007F0950FC2080h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e cmp dword ptr [esi+08h], DDEEDDEEh 0x00000015 jmp 00007F0950FC2080h 0x0000001a mov ecx, esi 0x0000001c jmp 00007F0950FC2080h 0x00000021 je 00007F09C3287A97h 0x00000027 pushad 0x00000028 mov eax, ebx 0x0000002a popad 0x0000002b test byte ptr [76FA6968h], 00000002h 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 mov ch, FDh 0x00000037 mov di, 0F00h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C5099D second address: 4C509A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C509A5 second address: 4C509CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jne 00007F09C3287A80h 0x0000000d jmp 00007F0950FC207Dh 0x00000012 mov edx, dword ptr [ebp+0Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov edi, 0F1C52DEh 0x0000001d movsx ebx, si 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C509CE second address: 4C509D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C509D4 second address: 4C509D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C509D8 second address: 4C50A57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0950EB8E54h 0x00000013 xor ecx, 178C1208h 0x00000019 jmp 00007F0950EB8E4Bh 0x0000001e popfd 0x0000001f jmp 00007F0950EB8E58h 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007F0950EB8E4Bh 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F0950EB8E55h 0x00000033 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50B43 second address: 4C50BB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0950FC2087h 0x00000009 sub cx, 454Eh 0x0000000e jmp 00007F0950FC2089h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F0950FC2080h 0x0000001a xor si, 59C8h 0x0000001f jmp 00007F0950FC207Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 pop ebx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0950FC2082h 0x00000031 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C50BB8 second address: 4C50BBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60C17 second address: 4C60CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0950FC207Ch 0x00000011 and eax, 383BC148h 0x00000017 jmp 00007F0950FC207Bh 0x0000001c popfd 0x0000001d mov edx, eax 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 push edi 0x00000023 mov bl, ch 0x00000025 pop ebx 0x00000026 pushfd 0x00000027 jmp 00007F0950FC2088h 0x0000002c xor ch, FFFFFFD8h 0x0000002f jmp 00007F0950FC207Bh 0x00000034 popfd 0x00000035 popad 0x00000036 xchg eax, ebp 0x00000037 pushad 0x00000038 call 00007F0950FC2084h 0x0000003d pushfd 0x0000003e jmp 00007F0950FC2082h 0x00000043 sbb cl, 00000068h 0x00000046 jmp 00007F0950FC207Bh 0x0000004b popfd 0x0000004c pop eax 0x0000004d mov dx, F0ACh 0x00000051 popad 0x00000052 mov ebp, esp 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60CC5 second address: 4C60CE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60CE1 second address: 4C60CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0AD3 second address: 4CE0B0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007F0950EB8E4Dh 0x0000000c jmp 00007F0950EB8E4Bh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F0950EB8E55h 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0B0E second address: 4CE0B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0950FC2081h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0950FC207Dh 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0B45 second address: 4CE0B62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0B62 second address: 4CE0B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0B75 second address: 4CE0B7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0EBA second address: 4CD0ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950FC207Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0ECC second address: 4CD0EDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0EDC second address: 4CD0EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0EE0 second address: 4CD0EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0EE6 second address: 4CD0F00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, 2D86h 0x00000011 mov dl, 9Ch 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CD0DB1 second address: 4CD0DB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60F1A second address: 4C60F1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60F1E second address: 4C60F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60F24 second address: 4C60F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950FC207Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60F37 second address: 4C60F90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950EB8E59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov cx, bx 0x00000014 pushfd 0x00000015 jmp 00007F0950EB8E4Fh 0x0000001a sub eax, 0EDA67BEh 0x00000020 jmp 00007F0950EB8E59h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60F90 second address: 4C60FAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC2081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4C60FAD second address: 4C60FB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	RDTSC instruction interceptor: First address: 4CE0366 second address: 4CE03DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0950FC2087h 0x00000009 and esi, 7BD17A8Eh 0x0000000f jmp 00007F0950FC2089h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F0950FC2080h 0x0000001b and ax, 8508h 0x00000020 jmp 00007F0950FC207Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0950FC2085h 0x00000031 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 3CF1D2 second address: 3CF1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 5501B4 second address: 5501C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 ja 00007F0950FC2076h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 54F63D second address: 54F645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 54F7DA second address: 54F7E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 54F7E0 second address: 54F7E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 54F7E6 second address: 54F7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0950FC207Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 54FAC0 second address: 54FAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 551458 second address: 55146B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0950FC207Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 55146B second address: 551482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0950EB8E53h 0x00000009 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 551482 second address: 5514C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0950FC2089h 0x0000000e nop 0x0000000f jng 00007F0950FC2076h 0x00000015 push 00000000h 0x00000017 mov ecx, dword ptr [ebp+122D3925h] 0x0000001d mov dx, 5500h 0x00000021 push F761C4B2h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push esi 0x0000002a pop esi 0x0000002b push esi 0x0000002c pop esi 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 5514C4 second address: 55156A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0950EB8E4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 089E3BCEh 0x00000011 mov si, CE8Eh 0x00000015 push 00000003h 0x00000017 push 00000000h 0x00000019 cld 0x0000001a push 00000003h 0x0000001c jns 00007F0950EB8E62h 0x00000022 call 00007F0950EB8E49h 0x00000027 jmp 00007F0950EB8E4Fh 0x0000002c push eax 0x0000002d pushad 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 jmp 00007F0950EB8E4Ch 0x00000036 popad 0x00000037 pushad 0x00000038 jmp 00007F0950EB8E4Bh 0x0000003d pushad 0x0000003e popad 0x0000003f popad 0x00000040 popad 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 jl 00007F0950EB8E4Ah 0x0000004b push eax 0x0000004c pushad 0x0000004d popad 0x0000004e pop eax 0x0000004f mov eax, dword ptr [eax] 0x00000051 push edx 0x00000052 push eax 0x00000053 jg 00007F0950EB8E46h 0x00000059 pop eax 0x0000005a pop edx 0x0000005b mov dword ptr [esp+04h], eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jg 00007F0950EB8E46h 0x00000069 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 55156A second address: 551570 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\userGCAFCAFHJJ.exe	RDTSC instruction interceptor: First address: 5516E1 second address: 5516E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Special instruction interceptor: First address: 34EC98 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Special instruction interceptor: First address: 34EBAB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Special instruction interceptor: First address: 4F0EA7 instructions caused by: Self-modifying code
Source: C:\Users\userGCAFCAFHJJ.exe	Special instruction interceptor: First address: 3CEA77 instructions caused by: Self-modifying code
Source: C:\Users\userGCAFCAFHJJ.exe	Special instruction interceptor: First address: 57A043 instructions caused by: Self-modifying code
Source: C:\Users\userGCAFCAFHJJ.exe	Special instruction interceptor: First address: 57A3DE instructions caused by: Self-modifying code
Source: C:\Users\userGCAFCAFHJJ.exe	Special instruction interceptor: First address: 578FCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: DBEC98 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: DBEBAB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: F60EA7 instructions caused by: Self-modifying code
Source: C:\Users\userGCAFCAFHJJ.exe	Special instruction interceptor: First address: 60287D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 2EEA77 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 49A043 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 49A3DE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 498FCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 52287D instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 14C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3160000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 5160000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe

Code function: 5_2_04CE0285 rdtsc

5_2_04CE0285

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 363
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Window / User API: threadDelayed 1187
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Window / User API: threadDelayed 851
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Window / User API: threadDelayed 1063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1633
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1624
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1419

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\buildred[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gawdth[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_cffi_backend.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_http_writer.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\pered[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2020[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\multidict\_multidict.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\yarl\_quoting_c.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000012001\2020.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\charset_normalizer\md__mypyc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_helpers.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_decimal.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\frozenlist\_frozenlist.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_websocket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\charset_normalizer\md.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\aiohttp\_http_parser.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\25072023[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000005001\2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000010001\pered.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000014001\gawdth.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\_socket.pyd	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 8.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7940	Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7940	Thread sleep time: -114057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7944	Thread sleep count: 50 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7944	Thread sleep time: -100050s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7892	Thread sleep count: 177 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7892	Thread sleep time: -5310000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7948	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7948	Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7924	Thread sleep count: 49 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7924	Thread sleep time: -98049s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7920	Thread sleep count: 57 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7920	Thread sleep time: -114057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7932	Thread sleep count: 47 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7932	Thread sleep time: -94047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7892	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8040	Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8040	Thread sleep time: -108054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8044	Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8044	Thread sleep time: -92046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7900	Thread sleep count: 363 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7900	Thread sleep time: -10890000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8016	Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8016	Thread sleep time: -92046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8024	Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8024	Thread sleep time: -92046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8148	Thread sleep time: -720000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8020	Thread sleep count: 45 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8020	Thread sleep time: -90045s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8032	Thread sleep count: 52 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8032	Thread sleep time: -104052s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7900	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7324	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7620	Thread sleep count: 36 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7620	Thread sleep time: -216000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5880	Thread sleep count: 1419 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5880	Thread sleep count: 100 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1268	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe

Thread sleep count: Count: 1187 delay: -10

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004139B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004143F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	0_2_00414050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004133C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401160 GetSystemInfo,ExitProcess,

0_2_00401160

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3282714744.0000000001E4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Volume Shadow Copy Requestor
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: vmware
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V PowerShell Direct Service
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: stub.exe, 00000019.00000003.3016768492.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3014173409.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3002278553.000002606F473000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2988153464.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020050954.000002606F47E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3096155859.000002606F484000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Remote Desktop Virtualization Service
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SERVICE_NAME: vmicvss
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 342db65350.exe, 00000017.00000002.3265664089.0000000000326000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: RoamingIDBGHDGHCG.exe, 00000005.00000002.2246869524.00000000004C7000.00000040.00000001.01000000.00000009.sdmp, userGCAFCAFHJJ.exe, 00000008.00000002.2316247776.0000000000557000.00000040.00000001.01000000.0000000B.sdmp, explorti.exe, 00000009.00000002.2282977099.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000D.00000002.2288956274.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp, axplong.exe, 0000000F.00000002.2362284017.0000000000477000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000012.00000002.3265021970.0000000000477000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000013.00000002.3264864901.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2443375443.0000000002607000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3270683057.000000000154A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3270790823.0000000001885000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3270790823.0000000001858000.00000004.00000020.00020000.00000000.sdmp, 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmtoolsd.exeuvmwaretray.exeuvmacthlp.exeuvboxtray.exeuvboxservice.exeuvmsrvc.exeuprl_tools.exeuxenservice.exeuAntiVM.CheckProcessT
Source: stub.exe, 00000019.00000003.3016768492.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3014173409.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3002278553.000002606F473000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2988153464.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020050954.000002606F47E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3096155859.000002606F484000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Time Synchronization Service
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: 97a671ae5d.exe, 00000014.00000002.2744921977.00000000025FD000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: stub.exe, 00000019.00000003.3016768492.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3014173409.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3002278553.000002606F473000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2988153464.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020050954.000002606F47E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3096155859.000002606F484000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Guest Shutdown Service
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmusrvc.exe
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: userGCAFCAFHJJ.exe, 00000008.00000003.2275354382.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmtoolsd.exe
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: xVBoxService.exe
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmwaretray.exe
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: stub.exe, 00000019.00000002.3098957207.000002606FD82000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3098891403.000002606FC92000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3282714744.0000000001E4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: VMWare
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvboxtray.exe
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: stub.exe, 00000019.00000002.3098957207.000002606FD82000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Administrators
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aqemu
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avirtualboxavmwareuAntiVM.CheckGpuadecoded_outputu<genexpr>uAntiVM.CheckGpu.<locals>.<genexpr>L
Source: stub.exe, 00000019.00000003.3025477729.000002606E70F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: stub.exe, 00000019.00000003.3016768492.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3014173409.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3002278553.000002606F473000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2988153464.000002606F47C000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020050954.000002606F47E000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000002.3096155859.000002606F484000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Data Exchange Service
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: RoamingIDBGHDGHCG.exe, RoamingIDBGHDGHCG.exe, 00000005.00000002.2246869524.00000000004C7000.00000040.00000001.01000000.00000009.sdmp, userGCAFCAFHJJ.exe, userGCAFCAFHJJ.exe, 00000008.00000002.2316247776.0000000000557000.00000040.00000001.01000000.0000000B.sdmp, explorti.exe, explorti.exe, 00000009.00000002.2282977099.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000D.00000002.2288956274.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp, axplong.exe, 0000000F.00000002.2362284017.0000000000477000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000012.00000002.3265021970.0000000000477000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000013.00000002.3264864901.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvboxservice.exe
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uqemu-ga.exe
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmsrvc.exe
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cvmware
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SERVICE_NAME: vmicheartbeat
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Hyper-V (guest)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SERVICE_NAME: vmicshutdown
Source: 342db65350.exe, 00000017.00000002.3265664089.0000000000326000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.0000000000326000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 342db65350.exe, 00000017.00000002.3339226587.0000000006443000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\]
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: stub.exe, 00000019.00000002.3093364671.000002606F235000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020784420.000002606F235000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Heartbeat Service
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvmwareuser.exe
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avmware
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: RoamingIDBGHDGHCG.exe, 00000005.00000002.2248551949.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: asandboxacuckooavmavirtualaqemuavboxaxenanodeuAntiVM.CheckHostNameT
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: stub.exe, 00000019.00000002.3093364671.000002606F235000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.3020784420.000002606F235000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000019.00000003.2980692355.000002606FD93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Guest Service Interface
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000003.2082844403.0000000028D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: VBoxService.exe
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cVMware
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: 97a671ae5d.exe, 00000014.00000002.2744968028.0000000002666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: axplong.exe, 00000012.00000002.3270683057.0000000001578000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd2
Source: 342db65350.exe, 00000017.00000002.3265664089.00000000001F6000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: build.exe, 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uwmic path Win32_ComputerSystem get ManufacturercVMwarecvmwareuAntiVM.CheckHypervisoraFakeErrorT

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe

Code function: 5_2_04CE0285 rdtsc

5_2_04CE0285

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041ACFA

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000

0_2_00404610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_004195E0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00419160 mov eax, dword ptr fs:[00000030h]

0_2_00419160

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Enables debug privileges

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C8D9 SetUnhandledExceptionFilter,	0_2_0041C8D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041ACFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041A718
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5DB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C5DB66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C5DB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C5DB1F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C78AC62

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 97a671ae5d.exe PID: 7188, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_004190A0

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1172008
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BE2008
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 434000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 534000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 673008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGCAFCAFHJJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe "C:\Users\user\AppData\RoamingIDBGHDGHCG.exe"	Jump to behavior
Source: C:\Users\user\AppData\RoamingIDBGHDGHCG.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGCAFCAFHJJ.exe "C:\Users\userGCAFCAFHJJ.exe"	Jump to behavior
Source: C:\Users\userGCAFCAFHJJ.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000001001\build.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe "C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe "C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe "C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000001001\build.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe "C:\Users\user\AppData\Local\Temp\1000001001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe""
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Uses taskkill to terminate processes

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config"

Source: 342db65350.exe, 00000017.00000002.3262699829.0000000000182000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RoamingIDBGHDGHCG.exe, RoamingIDBGHDGHCG.exe, 00000005.00000002.2246869524.00000000004C7000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, explorti.exe, 00000009.00000002.2282977099.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp, explorti.exe, 0000000D.00000002.2288956274.0000000000F37000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Program Manager
Source: userGCAFCAFHJJ.exe, userGCAFCAFHJJ.exe, 00000008.00000002.2316247776.0000000000557000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, 0000000F.00000002.2362284017.0000000000477000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000012.00000002.3265021970.0000000000477000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: *XProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C5DB341 cpuid

0_2_6C5DB341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00417630

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000003001\5447jsX.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000010001\pered.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000010001\pered.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000012001\2020.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000012001\2020.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000014001\gawdth.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000014001\gawdth.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\342db65350.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\multidict VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\multidict VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\multidict VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\MonsterUpdateService\Monster.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\nl VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ro VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ta VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\th VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_CN VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\hyphen-data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OriginTrials VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2023.8.1 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lo VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Segmentation Platform VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Segmentation Platform\SignalDB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Segmentation Platform\SignalStorageConfigDB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ar VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\de VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\en-GB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\es VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\id VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\fr VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\de VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\es VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification\en-GB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification-shared\en-GB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification-shared\es VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-notification-shared\fr VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-checkout VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded\2023.9.25.0 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\FirstPartySetsPreloaded\2023.9.25.0\_metadata VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Indexed Rules\36\10.34.0.50 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.50 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2023.9.4.1 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Logins.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Logins.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Web.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Web.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Cookies.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000001001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Cookies.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\HistoryData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\HistoryData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\DownloadData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\DownloadData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AutofillData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AutofillData.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Games VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\screenshot.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\screenshot.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\process_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox\History.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Cookies.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\network_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Sessions VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Tokens VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Wallets VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\network_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\network_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\network_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\process_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\process_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\process_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\screenshot.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\screenshot.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\screenshot.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Cookies.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Cookies.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Cookies.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox\History.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox\History.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Wallets VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\97a671ae5d.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

0_2_00417420

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004172F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_004174D0

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 9.2.explorti.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.userGCAFCAFHJJ.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.axplong.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.explorti.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.axplong.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RoamingIDBGHDGHCG.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.explorti.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2288695597.0000000000D51000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2321675490.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2316104817.0000000000361000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2649838006.0000000005520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2362139356.0000000000281000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3262529236.0000000000D51000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2203716913.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2646169494.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2225111532.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3262997504.0000000000281000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2248436376.0000000005540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2282786078.0000000000D51000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2242115500.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2245471234.00000000002E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY

Yara detected Monster Stealer

Source: Yara match	File source: 00000019.00000000.2782464290.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102011990.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stub.exe PID: 1524, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 33.2.crypted.exe.6fcbc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.crypted.exe.6fcbc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.crypted.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000002.2992462261.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2793593184.00000000006FC000.00000004.00000001.01000000.00000032.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2956394415.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\25072023[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\buildred[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000024.00000002.2850361286.00000000026EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.3029002681.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2443375443.0000000002607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 97a671ae5d.exe PID: 7188, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR

Detected generic credential text file

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\process_info.txt
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Cookies.txt
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\Browsers\Firefox\History.txt
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File created: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\network_info.txt

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: passphrase.json
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe, 00000000.00000002.2443375443.0000000002657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16fons\AppData\Roaming\Binance\.finger-print.fp*pH
Source: file.exe	String found in binary or memory: Ethereum
Source: file.exe	String found in binary or memory: file__0.localstorage
Source: file.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe	String found in binary or memory: ltiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.js
Source: file.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: file.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo

Gathers network related connection and port information

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\discord
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\discordcanary
Source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe	File opened: C:\Users\user\AppData\Local\discordptb

Yara detected Generic Python Stealer

Source: Yara match	File source: 00000019.00000000.2782464290.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102011990.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe, type: DROPPED

Yara detected Credential Stealer

Source: Yara match	File source: 00000023.00000002.2992462261.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.3029002681.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.2782464290.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3043239757.000002606E460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102011990.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stub.exe PID: 1524, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe, type: DROPPED

Remote Access Functionality

Yara detected Monster Stealer

Source: Yara match	File source: 00000019.00000000.2782464290.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102011990.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stub.exe PID: 1524, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\2ED92742-89DC-DD72-92E8-869FA5A66493\system_info.txt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 33.2.crypted.exe.6fcbc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.crypted.exe.6fcbc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.crypted.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000002.2992462261.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2793593184.00000000006FC000.00000004.00000001.01000000.00000032.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2956394415.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\25072023[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000009001\25072023.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\buildred[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000027001\buildred.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000024.00000002.2850361286.00000000026EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2744968028.0000000002617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.3029002681.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2443375443.0000000002607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 97a671ae5d.exe PID: 7188, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 6456, type: MEMORYSTR

Yara detected Generic Python Stealer

Source: Yara match	File source: 00000019.00000000.2782464290.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3102011990.00007FF725AE6000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2773862520.0000020780A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_3032_133665109925829724\stub.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790C40 sqlite3_bind_zeroblob,	0_2_6C790C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C790D60 sqlite3_bind_parameter_name,	0_2_6C790D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B8EA0 sqlite3_clear_bindings,	0_2_6C6B8EA0

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

ID:	1483332
Product:	CloudBasic
Start time:	01:41:08
Start date:	27.07.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d0fcc1d2ad23b05b53eefe1137594ddb
SHA1:	21b7f4bcae07c8c229035ef7f5b53be2a7febc54
SHA256:	367699d2c1f464b4c508846de8e1a760df77756492a2503c49a9086a374b5ef0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by