Windows Analysis Report
rRYQiGZ4K3.exe

Overview

General Information

Sample name:	rRYQiGZ4K3.exe renamed because original name is a hash value
Original sample name:	df504a29ad522d6eabe6258886d296bc.exe
Analysis ID:	1649322
MD5:	df504a29ad522d6eabe6258886d296bc
SHA1:	70d007b95628877924e5a41cceabcba93bc46a80
SHA256:	c0472272fbb70a86f21f0b3f156a74e29c9cb3b9c56fefc5594e90879144d4b9
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey, Credential Flusher, Healer AV Disabler, LummaC Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected Credential Flusher

Yara detected Healer AV Disabler

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

Allocates memory in foreign processes

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to start a terminal service

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Modifies windows update settings

Monitors registry run keys for changes

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Is looking for software installed on the system

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rRYQiGZ4K3.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://45.93.20.28/85a1cacf11314eb8.phpI)6S	Avira URL Cloud: Label: malware
Source: https://advennture.top/1q	Avira URL Cloud: Label: malware
Source: https://advennture.top:443/GKsiio	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.php;	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpG	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpB	Avira URL Cloud: Label: malware
Source: https://wxayfarer.live:443/ALosnz	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/freebl3.dllBZ	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.php)	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.php;)	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dlllet	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpslh	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dllll	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dllQ)	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpowser	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.php5a1cacf11314eb8.php	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dlloki	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/o	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/mozglue.dllWZ	Avira URL Cloud: Label: malware
Source: https://esccapewz.run:443/ANSbwqyO	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phposition:	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpon	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpv	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phprefox	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\WLbfHbp[1].exe	Avira: detection malicious, Label: TR/AVI.Agent.fsawc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[2].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\BIm18E9[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1350985
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\TbV75ZR[1].exe	Avira: detection malicious, Label: TR/AVI.Agent.fsawc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\f73ae_003[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7IIl2eE[1].exe	Avira: detection malicious, Label: TR/AVI.Agent.gilhh
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["esccapewz.run/ANSbwqy", "travewlio.shop/ZNxbHi", "touvrlane.bet/ASKwjq", "sighbtseeing.shop/ASJnzh", "advennture.top/GKsiio", "targett.top/dsANGt", "holidamyup.today/AOzkns", "triplooqp.world/APowko"], "Build id": "c1f2c640bdeec3593cc90bef83d9190c931339f65612dd5d7045f117"}
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
Source: 98f2fbda18.exe.6388.34.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "45.93.20.28/85a1cacf11314eb8.php", "Botnet": "trump"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\BIm18E9[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\WLbfHbp[1].exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\f73ae_003[1].exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\TbV75ZR[1].exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7IIl2eE[1].exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[3].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\10341630101\BIm18E9.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\10341640101\7IIl2eE.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Temp\10341650101\TbV75ZR.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\10341660101\f73ae_003.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\10341670101\WLbfHbp.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\10341680101\e051231d4e.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	ReversingLabs: Detection: 61%

Multi AV Scanner detection for submitted file

Source: rRYQiGZ4K3.exe	Virustotal: Detection: 55%			Perma Link
Source: rRYQiGZ4K3.exe	ReversingLabs: Detection: 61%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.9%

Sample uses string decryption to hide its real strings

Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: esccapewz.run/ANSbwqy
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: travewlio.shop/ZNxbHi
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: touvrlane.bet/ASKwjq
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sighbtseeing.shop/ASJnzh
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: advennture.top/GKsiio
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: targett.top/dsANGt
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: holidamyup.today/AOzkns
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: triplooqp.world/APowko
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 176.113.115.6
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Ni9kiput/index.php
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bb556cff4a
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapes.exe
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000419
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000422
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000423
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0000043f

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE3A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	13_2_6CE3A9A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE344C0 PK11_PubEncrypt,	13_2_6CE344C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE34440 PK11_PrivDecrypt,	13_2_6CE34440
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE04420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	13_2_6CE04420
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE825B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	13_2_6CE825B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE1E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	13_2_6CE1E6E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE18670 PK11_ExportEncryptedPrivKeyInfo,	13_2_6CE18670
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE3A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	13_2_6CE3A650
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	13_2_6CE5A730
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE60180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	13_2_6CE60180
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE343B0 PK11_PubEncryptPKCS1,PR_SetError,	13_2_6CE343B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE57C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	13_2_6CE57C00
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE17D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	13_2_6CE17D60
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	13_2_6CE5BD30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE59EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	13_2_6CE59EC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE33FF0 PK11_PrivDecryptPKCS1,	13_2_6CE33FF0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE39840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	13_2_6CE39840
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE33850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	13_2_6CE33850
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5DA40 SEC_PKCS7ContentIsEncrypted,	13_2_6CE5DA40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE33560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	13_2_6CE33560
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE2F050 PR_smprintf,SEC_CertNicknameConflict,strlen,realloc,memset,realloc,strlen,free,PR_smprintf,memcpy,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PR_SetError,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,memcpy,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PR_SetError,PR_SetError,PR_GetCurrentThread,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,PK11_GenerateRandom,SECKEY_DestroyPrivateKey,PR_SetError,free,free,free,free,PK11_FindCertInSlot,PORT_NewArena_Util,free,PK11_ImportCert,PR_SetError,free,CERT_DestroyCertificate,PORT_FreeArena_Util,PR_GetCurrentThread,PORT_ArenaAlloc_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_GetCurrentThread,strlen,PR_SetError,PR_GetCurrentThread,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,PR_SetError,free,SECKEY_DestroyPrivateKey,SECKEY_DestroyEncryptedPrivateKeyInfo,PR_SetError,	13_2_6CE2F050

Phishing

Yara detected Healer AV Disabler

Source: Yara match

File source: Process Memory Space: 43a132b865.exe PID: 5960, type: MEMORYSTR

Uses 32bit PE files

Source: rRYQiGZ4K3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: 98f2fbda18.exe, 0000000D.00000002.2083514575.00000000706AD000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: nss3.pdb@ source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.13.dr
Source:	Binary string: nss3.pdb source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.13.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 43a132b865.exe, 00000019.00000002.1828791523.0000000000982000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: mozglue.pdb source: 98f2fbda18.exe, 0000000D.00000002.2083514575.00000000706AD000.00000002.00000001.01000000.0000001A.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe

Directory queried: number of queries: 2665

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CF05070 strlen,PR_SetError,strcpy,_mbsdec,strlen,_mbsinc,_mbsinc,FindFirstFileA,GetLastError,

13_2_6CF05070

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\	Jump to behavior

Source: chrome.exe	Memory has grown: Private usage: 1MB later: 32MB
Source: firefox.exe	Memory has grown: Private usage: 1MB later: 94MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 45.93.20.28/85a1cacf11314eb8.php
Source: Malware configuration extractor	URLs: esccapewz.run/ANSbwqy
Source: Malware configuration extractor	URLs: travewlio.shop/ZNxbHi
Source: Malware configuration extractor	URLs: touvrlane.bet/ASKwjq
Source: Malware configuration extractor	URLs: sighbtseeing.shop/ASJnzh
Source: Malware configuration extractor	URLs: advennture.top/GKsiio
Source: Malware configuration extractor	URLs: targett.top/dsANGt
Source: Malware configuration extractor	URLs: holidamyup.today/AOzkns
Source: Malware configuration extractor	URLs: triplooqp.world/APowko
Source: Malware configuration extractor	IPs: 176.113.115.6

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CDECC60 PR_Recv,

13_2_6CDECC60

Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.11
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687357574.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1689316710.0000000001414000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687829726.000000000140C000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1695786808.0000000001416000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2172298033.00000000011D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/
Source: 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2172298033.00000000011D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/0g
Source: 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2172298033.00000000011D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/H
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/Mkv
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/ed
Source: 4aa1430779.exe, 0000000C.00000002.1694992949.0000000001400000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687357574.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/ranK.$
Source: 4aa1430779.exe, 0000000E.00000002.2204867939.0000000005AC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe
Source: 4aa1430779.exe, 0000000C.00000002.1694992949.0000000001400000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687357574.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe#
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe.u
Source: 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exeFX
Source: 4aa1430779.exe, 0000000C.00000002.1694992949.0000000001400000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687357574.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exeQ
Source: 4aa1430779.exe, 0000000E.00000003.2172459897.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2193286323.00000000011E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exep
Source: 4aa1430779.exe, 0000000C.00000003.1687447852.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694216029.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7:80/mine/random.exe
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp, 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp, 98f2fbda18.exe, 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php
Source: 98f2fbda18.exe, 0000000D.00000003.1735862622.0000000001576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php)
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php0101
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php5a1cacf11314eb8.php
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php5b76698b5b4ff6efd868f8f132dc67f9
Source: 98f2fbda18.exe, 0000000D.00000003.1735862622.0000000001576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php;
Source: 98f2fbda18.exe, 0000000D.00000003.1865498124.0000000001579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php;)
Source: 98f2fbda18.exe, 0000000D.00000003.1865498124.0000000001579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpAEBAKKJKKEBKFIDBFBA
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpB
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpDn
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpG
Source: 98f2fbda18.exe, 0000000D.00000003.1865498124.0000000001579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpI)6S
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpQ
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpRn
Source: 98f2fbda18.exe, 0000000D.00000003.1865498124.0000000001579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpS)
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpSt
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpY
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpary=----JEBGCBAFCGDAAKFIDGIEogon.exe
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpat
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpc
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpd
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpge
Source: 98f2fbda18.exe, 0000000D.00000003.1735862622.0000000001576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpk
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpmf
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpmt
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpon
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phposition:
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpowser
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phprefox
Source: 98f2fbda18.exe, 0000000D.00000003.1735862622.0000000001576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpslh
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpv
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/Jn
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/freebl3.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/freebl3.dllBZ
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/mozglue.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/mozglue.dllWZ
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll=)
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dllQ)
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllG(
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllhM
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dlli/
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dlllet
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllocal
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dlloki
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllsof
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/softokn3.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/sqlite3.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/vcruntime140.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/vcruntime140.dllw
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/o
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.284n
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.2885a1cacf11314eb8.phposition:
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28DGCGHDB
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28_R29
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28part/form-data;
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28ta
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: nss3[1].dll.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000025.00000003.1812637303.0000026D6A3FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1809124421.0000026D6CD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779245674.0000026D6CC64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1813451778.0000026D6CABC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1800064897.0000026D6CD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1781333208.0000026D6CC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1813451778.0000026D6CA98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1787226785.0000026D6CD72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: TbV75ZR.exe.11.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3[1].dll.13.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: nss3[1].dll.13.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 98f2fbda18.exe, 98f2fbda18.exe, 0000000D.00000002.2083514575.00000000706AD000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 98f2fbda18.exe, 0000000D.00000002.2079259650.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000027.00000002.1873927736.000001A338E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwdMO
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: b4ba663854.exe, 00000028.00000002.2095599878.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2071546109.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2027795731.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2067081292.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2056780180.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095687014.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top/
Source: b4ba663854.exe, 00000028.00000003.2027795731.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2056780180.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top//q
Source: b4ba663854.exe, 00000028.00000002.2095599878.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2071546109.00000000012D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top/1q
Source: b4ba663854.exe, 00000028.00000003.2027795731.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918387192.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1984625208.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1937411312.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095599878.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2067553213.000000000128A000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2071546109.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1872198268.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057722475.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057722475.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2027795731.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1893811229.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2067081292.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095070327.000000000128A000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095687014.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top/GKsiio
Source: b4ba663854.exe, 00000028.00000003.2067081292.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095687014.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top/GKsiioq
Source: b4ba663854.exe, 00000028.00000003.2067553213.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2094483896.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top:443/GKsiio
Source: b4ba663854.exe, 00000028.00000003.2000832126.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top:443/GKsiiol
Source: b4ba663854.exe, 00000028.00000003.2067553213.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057913063.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2094483896.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top:443/GKsiiopi.default-release/key4.dbPK
Source: b4ba663854.exe, 00000028.00000003.2067553213.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057913063.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2029000838.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2094483896.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top:443/GKsiiozh
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: 4aa1430779.exe, 0000000C.00000003.1503331238.0000000005BA1000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1871756260.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: 4aa1430779.exe, 0000000C.00000003.1545180600.000000000137D000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1967912600.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 4aa1430779.exe, 0000000C.00000003.1454894881.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 4aa1430779.exe, 0000000C.00000003.1454894881.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://content.cdn.mozilla.net
Source: 4aa1430779.exe, 0000000C.00000003.1503331238.0000000005BA1000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1871756260.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 4aa1430779.exe, 0000000C.00000003.1545180600.000000000137D000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1871756260.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 4aa1430779.exe, 0000000C.00000003.1454894881.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: b4ba663854.exe, 00000028.00000003.2057913063.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2000832126.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2029000838.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esccapewz.run:443/ANSbwqy
Source: b4ba663854.exe, 00000028.00000003.2067553213.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057913063.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2000832126.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2029000838.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2094483896.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esccapewz.run:443/ANSbwqyO
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000001009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital/
Source: MSBuild.exe, 00000032.00000002.2017416226.0000000001075000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital/gwpd
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000001016000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital/gwpd;
Source: MSBuild.exe, 00000032.00000002.2017416226.0000000001075000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital/gwpdt
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000001009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital/s
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital:443/gwpd
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital:443/gwpdJrn
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital:443/gwpdcuW
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital:443/gwpdes
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital:443/gwpdkrO
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ideas.mozilla.org/
Source: b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000027.00000002.1874098731.000001A339172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: nss3[1].dll.13.dr	String found in binary or memory: https://mozilla.org0/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1440989227.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042951169.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1565518737.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2172298033.00000000011D6000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042547371.00000000011B6000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2201138155.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2209968890.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/
Source: 4aa1430779.exe, 0000000E.00000003.1865502122.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/%g
Source: 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/0g
Source: 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1865502122.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2172298033.00000000011D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/9g
Source: 4aa1430779.exe, 00000014.00000003.2201138155.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2209968890.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/=:X
Source: 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1865502122.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/RgD
Source: 4aa1430779.exe, 0000000E.00000003.2042951169.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1865502122.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042547371.00000000011B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/cg
Source: 4aa1430779.exe, 4aa1430779.exe, 0000000C.00000003.1545021900.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1562299683.0000000001414000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687357574.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1505523551.0000000005BAC000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1689554850.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1469791898.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1502381117.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1491128468.000000000142C000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1562330966.0000000001402000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1489529663.000000000142C000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1695486449.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042951169.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2171315021.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsopp
Source: 4aa1430779.exe, 0000000C.00000003.1440892277.000000000139D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsopp.dll
Source: 4aa1430779.exe, 0000000E.00000003.2042951169.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042547371.00000000011B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppEX
Source: 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppIu
Source: 4aa1430779.exe, 0000000E.00000003.1984826633.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1980408494.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppKwJkGr
Source: 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppUiL5
Source: 4aa1430779.exe, 0000000C.00000003.1687357574.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1689554850.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1562330966.0000000001402000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1695486449.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppa
Source: 4aa1430779.exe, 0000000E.00000003.2042951169.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1973050794.00000000011B6000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042547371.00000000011B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppb
Source: 4aa1430779.exe, 0000000C.00000003.1555456425.0000000001383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsopph
Source: 4aa1430779.exe, 0000000C.00000003.1545021900.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1562299683.0000000001414000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppo
Source: 4aa1430779.exe, 00000014.00000003.2179621071.0000000000E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppsi
Source: 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppx
Source: 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/k
Source: 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/k%g
Source: 4aa1430779.exe, 00000014.00000003.2209968890.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/k3:J
Source: 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/kGg9
Source: 4aa1430779.exe, 0000000C.00000003.1545180600.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687447852.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1440989227.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555456425.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694216029.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1984826633.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2043476594.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1980408494.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2184991044.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2179621071.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2201653679.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsopp
Source: 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2043476594.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsopp6w
Source: 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1984826633.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2043476594.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1980408494.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1565518737.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsoppSw
Source: 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsoppages
Source: 4aa1430779.exe, 0000000C.00000003.1687447852.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694216029.0000000001383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsoppxxd8pi.default-release/key4.dbPK
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: b4ba663854.exe, 00000028.00000003.2000832126.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sighbtseeing.shop:443/ASJnzh
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 98f2fbda18.exe, 0000000D.00000003.1999851739.000000000C154000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: 4aa1430779.exe, 0000000C.00000003.1545180600.000000000137D000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1967912600.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 4aa1430779.exe, 0000000C.00000003.1454894881.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20Y&
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: 4aa1430779.exe, 0000000C.00000003.1454894881.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1810009775.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2088735265.000000000580A000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2089721070.000000000580C000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1843146046.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1842295949.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: 4aa1430779.exe, 0000000C.00000003.1545180600.000000000137D000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1871756260.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp, 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp, 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 4aa1430779.exe, 0000000C.00000003.1493922441.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1999851739.000000000C154000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1869427562.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2140335383.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: 4aa1430779.exe, 0000000C.00000003.1493922441.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1999851739.000000000C154000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1869427562.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2140335383.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: 4aa1430779.exe, 0000000C.00000003.1493922441.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1999851739.000000000C154000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1869427562.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2140335383.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: 4aa1430779.exe, 0000000C.00000003.1440989227.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1984826633.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2043476594.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1980408494.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1565518737.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2184991044.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2179621071.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2201653679.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wxayfarer.live:443/ALosnz
Source: firefox.exe, 00000027.00000002.1876294289.000001A339250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/chal&
Source: firefox.exe, 00000023.00000002.1734788897.00000233CA290000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1876294289.000001A339254000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1873927736.000001A338E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000021.00000002.1707123015.0000015461AB0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.1734788897.00000233CA299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000027.00000002.1876294289.000001A339254000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1873927736.000001A338E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: firefox.exe, 00000027.00000002.1873927736.000001A338E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdaK
Source: firefox.exe, 00000027.00000002.1873927736.000001A338E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwduK

System Summary

Binary is likely a compiled AutoIt script file

Source: 01f5cbd84e.exe, 00000010.00000002.1780483809.0000000000662000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_0249c028-8
Source: 01f5cbd84e.exe, 00000010.00000002.1780483809.0000000000662000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_b0489b24-9

PE file contains section with special chars

Source: rRYQiGZ4K3.exe	Static PE information: section name:
Source: rRYQiGZ4K3.exe	Static PE information: section name: .idata
Source: rRYQiGZ4K3.exe	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: .idata
Source: rapes.exe.0.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name: .idata
Source: random[3].exe.11.dr	Static PE information: section name:
Source: 871714e72e.exe.11.dr	Static PE information: section name:
Source: 871714e72e.exe.11.dr	Static PE information: section name: .idata
Source: 871714e72e.exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: 4aa1430779.exe.11.dr	Static PE information: section name:
Source: 4aa1430779.exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: 98f2fbda18.exe.11.dr	Static PE information: section name:
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: .idata
Source: 98f2fbda18.exe.11.dr	Static PE information: section name:
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name:
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: .idata
Source: e240a344bf.exe.11.dr	Static PE information: section name:
Source: e240a344bf.exe.11.dr	Static PE information: section name: .idata
Source: e240a344bf.exe.11.dr	Static PE information: section name:
Source: 4858284b54.exe.11.dr	Static PE information: section name:
Source: 4858284b54.exe.11.dr	Static PE information: section name: .idata
Source: 4858284b54.exe.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name: .idata
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: 43a132b865.exe.11.dr	Static PE information: section name:
Source: 43a132b865.exe.11.dr	Static PE information: section name: .idata
Source: 43a132b865.exe.11.dr	Static PE information: section name:
Source: random[2].exe.11.dr	Static PE information: section name:
Source: random[2].exe.11.dr	Static PE information: section name: .idata
Source: random[2].exe.11.dr	Static PE information: section name:
Source: b4ba663854.exe.11.dr	Static PE information: section name:
Source: b4ba663854.exe.11.dr	Static PE information: section name: .idata
Source: b4ba663854.exe.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: .idata
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: 1c2040cc08.exe.11.dr	Static PE information: section name:
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: .idata
Source: 1c2040cc08.exe.11.dr	Static PE information: section name:
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name:
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: .idata
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name:
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name:
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: .idata
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name:
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name:
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: .idata
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Process Stats: CPU usage > 49%

Creates files inside the system directory

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013CF00A	12_3_013CF00A
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013CF00A	12_3_013CF00A
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_014089A1	12_3_014089A1
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01409173	12_3_01409173
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01404979	12_3_01404979
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013CF00A	12_3_013CF00A
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013CF00A	12_3_013CF00A
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDDECD0	13_2_6CDDECD0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD7ECC0	13_2_6CD7ECC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD8AC60	13_2_6CD8AC60
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5AC30	13_2_6CE5AC30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE46C00	13_2_6CE46C00
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF0CDC0	13_2_6CF0CDC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD84DB0	13_2_6CD84DB0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE16D90	13_2_6CE16D90
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE4ED70	13_2_6CE4ED70
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEAAD50	13_2_6CEAAD50
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF08D20	13_2_6CF08D20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD8AEC0	13_2_6CD8AEC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE20EC0	13_2_6CE20EC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE06E90	13_2_6CE06E90
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE1EE70	13_2_6CE1EE70
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE60E20	13_2_6CE60E20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5EFF0	13_2_6CE5EFF0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD80FE0	13_2_6CD80FE0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC8FB0	13_2_6CEC8FB0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD8EFB0	13_2_6CD8EFB0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE42F70	13_2_6CE42F70
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDEEF40	13_2_6CDEEF40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD86F10	13_2_6CD86F10
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC0F20	13_2_6CEC0F20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE868E0	13_2_6CE868E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDC2880	13_2_6CDC2880
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE54840	13_2_6CE54840
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE0A820	13_2_6CE0A820
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE9C9E0	13_2_6CE9C9E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB49F0	13_2_6CDB49F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE109A0	13_2_6CE109A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE3A9A0	13_2_6CE3A9A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE409B0	13_2_6CE409B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB8960	13_2_6CDB8960
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD6900	13_2_6CDD6900
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDFEA80	13_2_6CDFEA80
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDFCA70	13_2_6CDFCA70
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE38A30	13_2_6CE38A30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE2EA00	13_2_6CE2EA00
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE86BE0	13_2_6CE86BE0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE20BA0	13_2_6CE20BA0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD88BAC	13_2_6CD88BAC
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDC64D0	13_2_6CDC64D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE1A4D0	13_2_6CE1A4D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEAA480	13_2_6CEAA480
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD98460	13_2_6CD98460
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE0A430	13_2_6CE0A430
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE4420	13_2_6CDE4420
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE4A5E0	13_2_6CE4A5E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE0E5F0	13_2_6CE0E5F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD745B0	13_2_6CD745B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE20570	13_2_6CE20570
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD8540	13_2_6CDD8540
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE84540	13_2_6CE84540
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC8550	13_2_6CEC8550
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE2560	13_2_6CDE2560
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE1E6E0	13_2_6CE1E6E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDA46D0	13_2_6CDA46D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDDE6E0	13_2_6CDDE6E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDDC650	13_2_6CDDC650
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDAA7D0	13_2_6CDAA7D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE00700	13_2_6CE00700
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD78090	13_2_6CD78090
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5C0B0	13_2_6CE5C0B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD900B0	13_2_6CD900B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDCE070	13_2_6CDCE070
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE4C000	13_2_6CE4C000
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE48010	13_2_6CE48010
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD801E0	13_2_6CD801E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE8140	13_2_6CDE8140
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE64130	13_2_6CE64130
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDF6130	13_2_6CDF6130
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF062C0	13_2_6CF062C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE522A0	13_2_6CE522A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE4E2B0	13_2_6CE4E2B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD9A2B0	13_2_6CD9A2B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE08260	13_2_6CE08260
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE18250	13_2_6CE18250
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE58220	13_2_6CE58220
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE4A210	13_2_6CE4A210
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD43E0	13_2_6CDD43E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD2380	13_2_6CDD2380
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDDE3B0	13_2_6CDDE3B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB23A0	13_2_6CDB23A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE9C360	13_2_6CE9C360
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE16370	13_2_6CE16370
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD88340	13_2_6CD88340
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC2370	13_2_6CEC2370
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD82370	13_2_6CD82370
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDF2320	13_2_6CDF2320
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE41CE0	13_2_6CE41CE0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEBDCD0	13_2_6CEBDCD0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD83C40	13_2_6CD83C40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEA9C40	13_2_6CEA9C40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD91C30	13_2_6CD91C30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE51DC0	13_2_6CE51DC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD73D80	13_2_6CD73D80
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC9D90	13_2_6CEC9D90
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE3D00	13_2_6CDE3D00
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDA3EC0	13_2_6CDA3EC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF05E60	13_2_6CF05E60
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE8DE10	13_2_6CE8DE10
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE2BFF0	13_2_6CE2BFF0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE9DFC0	13_2_6CE9DFC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF03FC0	13_2_6CF03FC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDA1F90	13_2_6CDA1F90
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CED7F20	13_2_6CED7F20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD75F30	13_2_6CD75F30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB5F20	13_2_6CDB5F20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5F8F0	13_2_6CE5F8F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEDB8F0	13_2_6CEDB8F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD8D8E0	13_2_6CD8D8E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB38E0	13_2_6CDB38E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDDD810	13_2_6CDDD810
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB99D0	13_2_6CDB99D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE179F0	13_2_6CE179F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE199C0	13_2_6CE199C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE59F0	13_2_6CDE59F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD91980	13_2_6CD91980
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE51990	13_2_6CE51990
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE3D960	13_2_6CE3D960
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDFF960	13_2_6CDFF960
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE35920	13_2_6CE35920
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CECF900	13_2_6CECF900
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD81AE0	13_2_6CD81AE0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5DAB0	13_2_6CE5DAB0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF09A50	13_2_6CF09A50
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE7DA30	13_2_6CE7DA30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD9BBD4	13_2_6CD9BBD4
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDC7BF0	13_2_6CDC7BF0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE49BB0	13_2_6CE49BB0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD71B80	13_2_6CD71B80
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE65B90	13_2_6CE65B90
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD9BA0	13_2_6CDD9BA0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5FB60	13_2_6CE5FB60
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDCBB20	13_2_6CDCBB20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD814E0	13_2_6CD814E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF014A0	13_2_6CF014A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE69430	13_2_6CE69430
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE0D410	13_2_6CE0D410
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE055F0	13_2_6CE055F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB9590	13_2_6CDB9590
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD95510	13_2_6CD95510
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE7500	13_2_6CDE7500
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CECF510	13_2_6CECF510
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB16A0	13_2_6CDB16A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE96A0	13_2_6CDE96A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD99650	13_2_6CD99650
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD5640	13_2_6CDD5640
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDF7610	13_2_6CDF7610
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDA9600	13_2_6CDA9600
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC37C0	13_2_6CEC37C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE0B7A0	13_2_6CE0B7A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE59720	13_2_6CE59720
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDED710	13_2_6CDED710
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDA3720	13_2_6CDA3720
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE37090	13_2_6CE37090
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD7D050	13_2_6CD7D050
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD89050	13_2_6CD89050
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE2F050	13_2_6CE2F050
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDCB020	13_2_6CDCB020
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE31C0	13_2_6CDE31C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD931E0	13_2_6CD931E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDCF150	13_2_6CDCF150
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE43120	13_2_6CE43120

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: String function: 6CDDC5E0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: String function: 6CEB9F30 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: String function: 6CDA9B10 appears 114 times
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: String function: 6CDA3620 appears 106 times

PE file does not import any functions

Source: BIm18E9.exe.11.dr	Static PE information: No import functions for PE file found
Source: BIm18E9[1].exe.11.dr	Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: rRYQiGZ4K3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rRYQiGZ4K3.exe	Static PE information: Section: ZLIB complexity 0.9986925361570248
Source: rRYQiGZ4K3.exe	Static PE information: Section: jcuiltll ZLIB complexity 0.9947780098142044
Source: rapes.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9986925361570248
Source: rapes.exe.0.dr	Static PE information: Section: jcuiltll ZLIB complexity 0.9947780098142044
Source: random[3].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9993787770356234
Source: 871714e72e.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9993787770356234
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: 4bEpXMZ.exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: 4bEpXMZ.exe0.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: random[1].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9980576064560439
Source: 4aa1430779.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9980576064560439
Source: random[1].exe0.11.dr	Static PE information: Section: ajxospfk ZLIB complexity 0.994741306500466
Source: 98f2fbda18.exe.11.dr	Static PE information: Section: ajxospfk ZLIB complexity 0.994741306500466
Source: f73ae_003[1].exe.11.dr	Static PE information: Section: z2 ZLIB complexity 0.9914302453131233
Source: f73ae_003.exe.11.dr	Static PE information: Section: z2 ZLIB complexity 0.9914302453131233
Source: random[3].exe0.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: random[3].exe0.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: e051231d4e.exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: e051231d4e.exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: f59cb4f3ef.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9980576064560439
Source: e240a344bf.exe.11.dr	Static PE information: Section: ajxospfk ZLIB complexity 0.994741306500466
Source: 4858284b54.exe.11.dr	Static PE information: Section: qkaqrojp ZLIB complexity 0.9947809088226616
Source: random[1].exe2.11.dr	Static PE information: Section: qkaqrojp ZLIB complexity 0.9947809088226616
Source: 43a132b865.exe.11.dr	Static PE information: Section: qkaqrojp ZLIB complexity 0.9947809088226616
Source: random[2].exe.11.dr	Static PE information: Section: ZLIB complexity 1.0000711221988796
Source: random[2].exe.11.dr	Static PE information: Section: pouoahlt ZLIB complexity 0.994614870030581
Source: b4ba663854.exe.11.dr	Static PE information: Section: ZLIB complexity 1.0000711221988796
Source: b4ba663854.exe.11.dr	Static PE information: Section: pouoahlt ZLIB complexity 0.994614870030581
Source: random[2].exe0.11.dr	Static PE information: Section: ZLIB complexity 0.9998534304101222
Source: 1c2040cc08.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9998534304101222
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: Section: ZLIB complexity 0.9986602530991735
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: Section: gepwgapg ZLIB complexity 0.9945153181646526
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: Section: ZLIB complexity 0.9986602530991735
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: Section: gepwgapg ZLIB complexity 0.9945153181646526
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: Section: ZLIB complexity 0.9986602530991735
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: Section: gepwgapg ZLIB complexity 0.9945153181646526

Source: random[2].exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe0.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[3].exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 1c2040cc08.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: b4ba663854.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 871714e72e.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@113/91@0/19

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CDE0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

13_2_6CDE0300

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1004:120:WilError_03

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File created: C:\Users\user\AppData\Local\Temp\bb556cff4a

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 98f2fbda18.exe, 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 4aa1430779.exe, 0000000C.00000003.1473140795.0000000005BC4000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1453998635.0000000005BD5000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1454699612.0000000005BA5000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1472026072.0000000005C06000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1472378280.0000000005BC4000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1858523478.0000000005D8B000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1734391037.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1809119576.0000000005AF6000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1806546245.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1829695958.0000000005AF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: rRYQiGZ4K3.exe	Virustotal: Detection: 55%
Source: rRYQiGZ4K3.exe	ReversingLabs: Detection: 61%

Source: rRYQiGZ4K3.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rRYQiGZ4K3.exe	String found in binary or memory: " /add /y
Source: rRYQiGZ4K3.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: 98f2fbda18.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File read: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rRYQiGZ4K3.exe "C:\Users\user\Desktop\rRYQiGZ4K3.exe"
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe "C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe "C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe "C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe "C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe"
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --subproc-heap-profiling --field-trial-handle=2208,i,15468814367400949569,2416210715821144008,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2168 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe "C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe"
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe "C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe"
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe "C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe"
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe "C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe"
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2992,i,7740229155416659085,13242452531407460704,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3012 /prefetch:3
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2248 -prefMapHandle 2244 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91d3ef95-0888-4317-9b75-296e38a04e28} 6400 "\\.\pipe\gecko-crash-server-pipe.6400" 26d5cf6a110 socket
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe "C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe"
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2396 --field-trial-handle=2104,i,11169080278526208488,12123443454787713303,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2244,i,18186824461368831228,8997466204687017139,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe "C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe"
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe "C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe "C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe "C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe "C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe "C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe "C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe "C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --subproc-heap-profiling --field-trial-handle=2208,i,15468814367400949569,2416210715821144008,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2168 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2992,i,7740229155416659085,13242452531407460704,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3012 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2248 -prefMapHandle 2244 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91d3ef95-0888-4317-9b75-296e38a04e28} 6400 "\\.\pipe\gecko-crash-server-pipe.6400" 26d5cf6a110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2396 --field-trial-handle=2104,i,11169080278526208488,12123443454787713303,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2244,i,18186824461368831228,8997466204687017139,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: rRYQiGZ4K3.exe

Static file information: File size 1911296 > 1048576

Source: rRYQiGZ4K3.exe

Static PE information: Raw size of jcuiltll is bigger than: 0x100000 < 0x1a1200

Source:	Binary string: mozglue.pdbP source: 98f2fbda18.exe, 0000000D.00000002.2083514575.00000000706AD000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: nss3.pdb@ source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.13.dr
Source:	Binary string: nss3.pdb source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.13.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 43a132b865.exe, 00000019.00000002.1828791523.0000000000982000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: mozglue.pdb source: 98f2fbda18.exe, 0000000D.00000002.2083514575.00000000706AD000.00000002.00000001.01000000.0000001A.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Unpacked PE file: 0.2.rRYQiGZ4K3.exe.80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 1.2.rapes.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 2.2.rapes.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Unpacked PE file: 12.2.4aa1430779.exe.570000.0.unpack :EW;.rsrc:W;.idata :W;lqfpqqbq:EW;stpsldwz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lqfpqqbq:EW;stpsldwz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Unpacked PE file: 13.2.98f2fbda18.exe.240000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ajxospfk:EW;fdhsnvbg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ajxospfk:EW;fdhsnvbg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Unpacked PE file: 14.2.4aa1430779.exe.570000.0.unpack :EW;.rsrc:W;.idata :W;lqfpqqbq:EW;stpsldwz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lqfpqqbq:EW;stpsldwz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Unpacked PE file: 25.2.43a132b865.exe.980000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qkaqrojp:EW;dvvcrdvk:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Unpacked PE file: 30.2.GQBW1T0IDBJMVUA99J2.exe.890000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gepwgapg:EW;dashrvhk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gepwgapg:EW;dashrvhk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Unpacked PE file: 34.2.98f2fbda18.exe.240000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ajxospfk:EW;fdhsnvbg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ajxospfk:EW;fdhsnvbg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Unpacked PE file: 40.2.b4ba663854.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pouoahlt:EW;gpuxgpqt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pouoahlt:EW;gpuxgpqt:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: BIm18E9.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x4ed08d
Source: WLbfHbp.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x17b823
Source: 4858284b54.exe.11.dr	Static PE information: real checksum: 0x1b62ed should be: 0x1bc9be
Source: rapes.exe.0.dr	Static PE information: real checksum: 0x1d3606 should be: 0x1d9d15
Source: 7IIl2eE.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x131f80
Source: f59cb4f3ef.exe.11.dr	Static PE information: real checksum: 0x2e86c5 should be: 0x2f1c76
Source: e240a344bf.exe.11.dr	Static PE information: real checksum: 0x1b9fa4 should be: 0x1adfac
Source: random[2].exe.11.dr	Static PE information: real checksum: 0x1d177b should be: 0x1cebfe
Source: TbV75ZR[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x17b823
Source: random[1].exe.11.dr	Static PE information: real checksum: 0x2e86c5 should be: 0x2f1c76
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: real checksum: 0x1dbf46 should be: 0x1d5e0c
Source: f73ae_003.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x15b9e5
Source: 98f2fbda18.exe.11.dr	Static PE information: real checksum: 0x1b9fa4 should be: 0x1adfac
Source: 7IIl2eE[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x131f80
Source: random[3].exe0.11.dr	Static PE information: real checksum: 0x0 should be: 0x120e1d
Source: random[2].exe0.11.dr	Static PE information: real checksum: 0x4769cf should be: 0x4833af
Source: 4bEpXMZ.exe0.11.dr	Static PE information: real checksum: 0x0 should be: 0x179cdb
Source: random[3].exe.11.dr	Static PE information: real checksum: 0x461413 should be: 0x46d85b
Source: random[1].exe0.11.dr	Static PE information: real checksum: 0x1b9fa4 should be: 0x1adfac
Source: TbV75ZR.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x17b823
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x179cdb
Source: WLbfHbp[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x17b823
Source: 1c2040cc08.exe.11.dr	Static PE information: real checksum: 0x4769cf should be: 0x4833af
Source: e051231d4e.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x120e1d
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: real checksum: 0x1dbf46 should be: 0x1d5e0c
Source: b4ba663854.exe.11.dr	Static PE information: real checksum: 0x1d177b should be: 0x1cebfe
Source: f73ae_003[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x15b9e5
Source: 871714e72e.exe.11.dr	Static PE information: real checksum: 0x461413 should be: 0x46d85b
Source: 4aa1430779.exe.11.dr	Static PE information: real checksum: 0x2e86c5 should be: 0x2f1c76
Source: 43a132b865.exe.11.dr	Static PE information: real checksum: 0x1b62ed should be: 0x1bc9be
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: real checksum: 0x1dbf46 should be: 0x1d5e0c
Source: BIm18E9[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x4ed08d
Source: 4bEpXMZ.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x179cdb
Source: random[1].exe2.11.dr	Static PE information: real checksum: 0x1b62ed should be: 0x1bc9be
Source: rRYQiGZ4K3.exe	Static PE information: real checksum: 0x1d3606 should be: 0x1d9d15

PE file contains sections with non-standard names

Source: rRYQiGZ4K3.exe	Static PE information: section name:
Source: rRYQiGZ4K3.exe	Static PE information: section name: .idata
Source: rRYQiGZ4K3.exe	Static PE information: section name:
Source: rRYQiGZ4K3.exe	Static PE information: section name: jcuiltll
Source: rRYQiGZ4K3.exe	Static PE information: section name: gqicuvhy
Source: rRYQiGZ4K3.exe	Static PE information: section name: .taggant
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: .idata
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: jcuiltll
Source: rapes.exe.0.dr	Static PE information: section name: gqicuvhy
Source: rapes.exe.0.dr	Static PE information: section name: .taggant
Source: random[3].exe.11.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name: .idata
Source: random[3].exe.11.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name: qenlmgdj
Source: random[3].exe.11.dr	Static PE information: section name: kjtymyun
Source: random[3].exe.11.dr	Static PE information: section name: .taggant
Source: 871714e72e.exe.11.dr	Static PE information: section name:
Source: 871714e72e.exe.11.dr	Static PE information: section name: .idata
Source: 871714e72e.exe.11.dr	Static PE information: section name:
Source: 871714e72e.exe.11.dr	Static PE information: section name: qenlmgdj
Source: 871714e72e.exe.11.dr	Static PE information: section name: kjtymyun
Source: 871714e72e.exe.11.dr	Static PE information: section name: .taggant
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: section name: .gxfg
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: section name: .retplne
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: section name: _RDATA
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: section name: .cSs
Source: 4bEpXMZ.exe.11.dr	Static PE information: section name: .gxfg
Source: 4bEpXMZ.exe.11.dr	Static PE information: section name: .retplne
Source: 4bEpXMZ.exe.11.dr	Static PE information: section name: _RDATA
Source: 4bEpXMZ.exe.11.dr	Static PE information: section name: .cSs
Source: 4bEpXMZ.exe0.11.dr	Static PE information: section name: .gxfg
Source: 4bEpXMZ.exe0.11.dr	Static PE information: section name: .retplne
Source: 4bEpXMZ.exe0.11.dr	Static PE information: section name: _RDATA
Source: 4bEpXMZ.exe0.11.dr	Static PE information: section name: .cSs
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name: lqfpqqbq
Source: random[1].exe.11.dr	Static PE information: section name: stpsldwz
Source: random[1].exe.11.dr	Static PE information: section name: .taggant
Source: 4aa1430779.exe.11.dr	Static PE information: section name:
Source: 4aa1430779.exe.11.dr	Static PE information: section name: .idata
Source: 4aa1430779.exe.11.dr	Static PE information: section name: lqfpqqbq
Source: 4aa1430779.exe.11.dr	Static PE information: section name: stpsldwz
Source: 4aa1430779.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: ajxospfk
Source: random[1].exe0.11.dr	Static PE information: section name: fdhsnvbg
Source: random[1].exe0.11.dr	Static PE information: section name: .taggant
Source: 98f2fbda18.exe.11.dr	Static PE information: section name:
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: .idata
Source: 98f2fbda18.exe.11.dr	Static PE information: section name:
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: ajxospfk
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: fdhsnvbg
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: .taggant
Source: f73ae_003[1].exe.11.dr	Static PE information: section name: z0
Source: f73ae_003[1].exe.11.dr	Static PE information: section name: z1
Source: f73ae_003[1].exe.11.dr	Static PE information: section name: z2
Source: f73ae_003.exe.11.dr	Static PE information: section name: z0
Source: f73ae_003.exe.11.dr	Static PE information: section name: z1
Source: f73ae_003.exe.11.dr	Static PE information: section name: z2
Source: random[3].exe0.11.dr	Static PE information: section name: .gxfg
Source: random[3].exe0.11.dr	Static PE information: section name: .retplne
Source: random[3].exe0.11.dr	Static PE information: section name: _RDATA
Source: random[3].exe0.11.dr	Static PE information: section name: .cSs
Source: random[3].exe0.11.dr	Static PE information: section name: .cSs
Source: e051231d4e.exe.11.dr	Static PE information: section name: .gxfg
Source: e051231d4e.exe.11.dr	Static PE information: section name: .retplne
Source: e051231d4e.exe.11.dr	Static PE information: section name: _RDATA
Source: e051231d4e.exe.11.dr	Static PE information: section name: .cSs
Source: e051231d4e.exe.11.dr	Static PE information: section name: .cSs
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name:
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: .idata
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: lqfpqqbq
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: stpsldwz
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: .taggant
Source: e240a344bf.exe.11.dr	Static PE information: section name:
Source: e240a344bf.exe.11.dr	Static PE information: section name: .idata
Source: e240a344bf.exe.11.dr	Static PE information: section name:
Source: e240a344bf.exe.11.dr	Static PE information: section name: ajxospfk
Source: e240a344bf.exe.11.dr	Static PE information: section name: fdhsnvbg
Source: e240a344bf.exe.11.dr	Static PE information: section name: .taggant
Source: 4858284b54.exe.11.dr	Static PE information: section name:
Source: 4858284b54.exe.11.dr	Static PE information: section name: .idata
Source: 4858284b54.exe.11.dr	Static PE information: section name:
Source: 4858284b54.exe.11.dr	Static PE information: section name: qkaqrojp
Source: 4858284b54.exe.11.dr	Static PE information: section name: dvvcrdvk
Source: 4858284b54.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name: .idata
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name: qkaqrojp
Source: random[1].exe2.11.dr	Static PE information: section name: dvvcrdvk
Source: random[1].exe2.11.dr	Static PE information: section name: .taggant
Source: 43a132b865.exe.11.dr	Static PE information: section name:
Source: 43a132b865.exe.11.dr	Static PE information: section name: .idata
Source: 43a132b865.exe.11.dr	Static PE information: section name:
Source: 43a132b865.exe.11.dr	Static PE information: section name: qkaqrojp
Source: 43a132b865.exe.11.dr	Static PE information: section name: dvvcrdvk
Source: 43a132b865.exe.11.dr	Static PE information: section name: .taggant
Source: random[2].exe.11.dr	Static PE information: section name:
Source: random[2].exe.11.dr	Static PE information: section name: .idata
Source: random[2].exe.11.dr	Static PE information: section name:
Source: random[2].exe.11.dr	Static PE information: section name: pouoahlt
Source: random[2].exe.11.dr	Static PE information: section name: gpuxgpqt
Source: random[2].exe.11.dr	Static PE information: section name: .taggant
Source: b4ba663854.exe.11.dr	Static PE information: section name:
Source: b4ba663854.exe.11.dr	Static PE information: section name: .idata
Source: b4ba663854.exe.11.dr	Static PE information: section name:
Source: b4ba663854.exe.11.dr	Static PE information: section name: pouoahlt
Source: b4ba663854.exe.11.dr	Static PE information: section name: gpuxgpqt
Source: b4ba663854.exe.11.dr	Static PE information: section name: .taggant
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: .idata
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: rncpeirq
Source: random[2].exe0.11.dr	Static PE information: section name: bkxaayvx
Source: random[2].exe0.11.dr	Static PE information: section name: .taggant
Source: 1c2040cc08.exe.11.dr	Static PE information: section name:
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: .idata
Source: 1c2040cc08.exe.11.dr	Static PE information: section name:
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: rncpeirq
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: bkxaayvx
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: .taggant
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name:
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: .idata
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name:
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: gepwgapg
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: dashrvhk
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: .taggant
Source: softokn3[1].dll.13.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.13.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.13.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.13.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.13.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.13.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.13.dr	Static PE information: section name: .didat
Source: nss3.dll.13.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.13.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.13.dr	Static PE information: section name: .00cfg
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name:
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: .idata
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name:
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: gepwgapg
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: dashrvhk
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: .taggant
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name:
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: .idata
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name:
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: gepwgapg
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: dashrvhk
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013B4BCB push esp; retn 0074h	12_3_013B4BCC
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013B4BCB push esp; retn 0074h	12_3_013B4BCC
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01403398 pushfd ; retn 0002h	12_3_014033DA
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01403398 pushfd ; retn 0002h	12_3_014033DA
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01403398 pushfd ; retn 0002h	12_3_014033DA
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01403398 pushfd ; retn 0002h	12_3_014033DA
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013B4BCB push esp; retn 0074h	12_3_013B4BCC
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013B4BCB push esp; retn 0074h	12_3_013B4BCC

Source: rRYQiGZ4K3.exe	Static PE information: section name: entropy: 7.9826932580669885
Source: rRYQiGZ4K3.exe	Static PE information: section name: jcuiltll entropy: 7.95401908089509
Source: rapes.exe.0.dr	Static PE information: section name: entropy: 7.9826932580669885
Source: rapes.exe.0.dr	Static PE information: section name: jcuiltll entropy: 7.95401908089509
Source: random[3].exe.11.dr	Static PE information: section name: entropy: 7.976644054661237
Source: random[3].exe.11.dr	Static PE information: section name: qenlmgdj entropy: 7.946013448384008
Source: 871714e72e.exe.11.dr	Static PE information: section name: entropy: 7.976644054661237
Source: 871714e72e.exe.11.dr	Static PE information: section name: qenlmgdj entropy: 7.946013448384008
Source: random[1].exe.11.dr	Static PE information: section name: entropy: 7.990352184338431
Source: 4aa1430779.exe.11.dr	Static PE information: section name: entropy: 7.990352184338431
Source: random[1].exe0.11.dr	Static PE information: section name: ajxospfk entropy: 7.953819166107309
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: ajxospfk entropy: 7.953819166107309
Source: f73ae_003[1].exe.11.dr	Static PE information: section name: z2 entropy: 7.986156524412056
Source: f73ae_003.exe.11.dr	Static PE information: section name: z2 entropy: 7.986156524412056
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: entropy: 7.990352184338431
Source: e240a344bf.exe.11.dr	Static PE information: section name: ajxospfk entropy: 7.953819166107309
Source: 4858284b54.exe.11.dr	Static PE information: section name: qkaqrojp entropy: 7.953081518825469
Source: random[1].exe2.11.dr	Static PE information: section name: qkaqrojp entropy: 7.953081518825469
Source: 43a132b865.exe.11.dr	Static PE information: section name: qkaqrojp entropy: 7.953081518825469
Source: random[2].exe.11.dr	Static PE information: section name: entropy: 7.9839538899573785
Source: random[2].exe.11.dr	Static PE information: section name: pouoahlt entropy: 7.954265450001787
Source: b4ba663854.exe.11.dr	Static PE information: section name: entropy: 7.9839538899573785
Source: b4ba663854.exe.11.dr	Static PE information: section name: pouoahlt entropy: 7.954265450001787
Source: random[2].exe0.11.dr	Static PE information: section name: entropy: 7.976630260186399
Source: random[2].exe0.11.dr	Static PE information: section name: rncpeirq entropy: 7.94814176659921
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: entropy: 7.976630260186399
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: rncpeirq entropy: 7.94814176659921
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: entropy: 7.977935826146418
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: gepwgapg entropy: 7.954307807688752
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: entropy: 7.977935826146418
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: gepwgapg entropy: 7.954307807688752
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: entropy: 7.977935826146418
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: gepwgapg entropy: 7.954307807688752

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341590101\1c2040cc08.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341700101\e240a344bf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341710101\d83a92e1f3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Jump to dropped file
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7IIl2eE[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341610101\4bEpXMZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\f73ae_003[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\4bEpXMZ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\WLbfHbp[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341650101\TbV75ZR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File created: C:\Users\user\AppData\Local\Temp\Q0QJBHVF9L167VZGN61GMYN1MW6L.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File created: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341690101\f59cb4f3ef.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341660101\f73ae_003.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341640101\7IIl2eE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341680101\e051231d4e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341720101\4858284b54.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\TbV75ZR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File created: C:\Users\user\AppData\Local\Temp\O2APV2CTD3DNPOGLWQ211ODNXDP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341630101\BIm18E9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\BIm18E9[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341670101\WLbfHbp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341600101\871714e72e.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 01f5cbd84e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98f2fbda18.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4858284b54.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4aa1430779.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d83a92e1f3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 43a132b865.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e240a344bf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f59cb4f3ef.exe	Jump to behavior

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4aa1430779.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4aa1430779.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98f2fbda18.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98f2fbda18.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 01f5cbd84e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 01f5cbd84e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 43a132b865.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 43a132b865.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f59cb4f3ef.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f59cb4f3ef.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e240a344bf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e240a344bf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d83a92e1f3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d83a92e1f3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4858284b54.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4858284b54.exe	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: F3163 second address: F316F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: F316F second address: F3173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: F3173 second address: F3179 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: F3179 second address: F2A2E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB8D4BFEE0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D18EDh], edx 0x00000011 push dword ptr [ebp+122D0199h] 0x00000017 jmp 00007FB8D4BFEDFAh 0x0000001c sub dword ptr [ebp+122D1CB3h], esi 0x00000022 call dword ptr [ebp+122D2D5Eh] 0x00000028 pushad 0x00000029 stc 0x0000002a xor eax, eax 0x0000002c or dword ptr [ebp+122D2573h], ecx 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 xor dword ptr [ebp+122D27B2h], edi 0x0000003c mov dword ptr [ebp+122D2A80h], eax 0x00000042 jp 00007FB8D4BFEE0Ah 0x00000048 jmp 00007FB8D4BFEE04h 0x0000004d jmp 00007FB8D4BFEE02h 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D27B2h], ebx 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 pushad 0x00000062 xor si, C950h 0x00000067 mov ebx, 0AF191DCh 0x0000006c popad 0x0000006d lodsw 0x0000006f sub dword ptr [ebp+122D27B2h], eax 0x00000075 jo 00007FB8D4BFEE07h 0x0000007b jmp 00007FB8D4BFEE01h 0x00000080 add eax, dword ptr [esp+24h] 0x00000084 clc 0x00000085 mov ebx, dword ptr [esp+24h] 0x00000089 jmp 00007FB8D4BFEE05h 0x0000008e nop 0x0000008f push edx 0x00000090 push ecx 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: F2A2E second address: F2A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 256E65 second address: 256E6B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2755ED second address: 275622 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCDh 0x00000007 pushad 0x00000008 jmp 00007FB8D4EECBD5h 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007FB8D4EECBC6h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 275622 second address: 275626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 275745 second address: 275763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8D4EECBD5h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2771BE second address: 2771C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2771C3 second address: F2A2E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8D4EECBCCh 0x00000008 jnc 00007FB8D4EECBC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xor dword ptr [esp], 1F2C22FDh 0x00000017 movsx edx, di 0x0000001a push dword ptr [ebp+122D0199h] 0x00000020 call dword ptr [ebp+122D2D5Eh] 0x00000026 pushad 0x00000027 stc 0x00000028 xor eax, eax 0x0000002a or dword ptr [ebp+122D2573h], ecx 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 xor dword ptr [ebp+122D27B2h], edi 0x0000003a mov dword ptr [ebp+122D2A80h], eax 0x00000040 jp 00007FB8D4EECBDAh 0x00000046 jmp 00007FB8D4EECBD4h 0x0000004b jmp 00007FB8D4EECBD2h 0x00000050 mov esi, 0000003Ch 0x00000055 mov dword ptr [ebp+122D27B2h], ebx 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f pushad 0x00000060 xor si, C950h 0x00000065 mov ebx, 0AF191DCh 0x0000006a popad 0x0000006b lodsw 0x0000006d sub dword ptr [ebp+122D27B2h], eax 0x00000073 jo 00007FB8D4EECBD7h 0x00000079 jmp 00007FB8D4EECBD1h 0x0000007e add eax, dword ptr [esp+24h] 0x00000082 clc 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 jmp 00007FB8D4EECBD5h 0x0000008c nop 0x0000008d push edx 0x0000008e push ecx 0x0000008f push eax 0x00000090 push edx 0x00000091 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 27732D second address: 277331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277433 second address: 277447 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277447 second address: 277451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FB8D4BFEDF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277451 second address: 277463 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FB8D4EECBC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277463 second address: 27747B instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8D4BFEDFCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 27747B second address: 27747F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 27747F second address: 2774A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edi, 0D6D8721h 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+122D18BAh], edx 0x00000015 call 00007FB8D4BFEDF9h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d ja 00007FB8D4BFEDF6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2774A6 second address: 2774CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FB8D4EECBCCh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB8D4EECBD3h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2774CF second address: 277542 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8D4BFEDFFh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jc 00007FB8D4BFEE08h 0x00000017 jmp 00007FB8D4BFEE02h 0x0000001c mov eax, dword ptr [eax] 0x0000001e ja 00007FB8D4BFEE0Dh 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 pushad 0x00000029 jmp 00007FB8D4BFEE08h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277542 second address: 277573 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 add ecx, 5AF667E2h 0x0000000e push 00000003h 0x00000010 mov si, F2F2h 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+122D1D40h], ecx 0x0000001c push 00000003h 0x0000001e mov dl, 81h 0x00000020 push E5089488h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FB8D4EECBCAh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277573 second address: 2775E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 25089488h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FB8D4BFEDF8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a sub edx, dword ptr [ebp+122D2960h] 0x00000030 sub dword ptr [ebp+122D246Fh], edi 0x00000036 lea ebx, dword ptr [ebp+12458137h] 0x0000003c jnc 00007FB8D4BFEDF9h 0x00000042 xchg eax, ebx 0x00000043 push eax 0x00000044 push ebx 0x00000045 jmp 00007FB8D4BFEDFEh 0x0000004a pop ebx 0x0000004b pop eax 0x0000004c push eax 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2775E4 second address: 2775E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277681 second address: 2776CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8D4BFEDFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jnc 00007FB8D4BFEDFCh 0x00000015 push eax 0x00000016 jmp 00007FB8D4BFEDFCh 0x0000001b pop eax 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007FB8D4BFEE06h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2776CF second address: 2776D9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8D4EECBCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 26B0C0 second address: 26B0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 295E9A second address: 295EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 295EA0 second address: 295ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4BFEDFCh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8D4BFEE07h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296391 second address: 2963AA instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8D4EECBD2h 0x00000008 jl 00007FB8D4EECBC6h 0x0000000e jnp 00007FB8D4EECBC6h 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2964EC second address: 2964F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2964F4 second address: 296500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB8D4EECBC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296500 second address: 29652B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007FB8D4BFEE01h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FB8D4BFEDFDh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 29652B second address: 296537 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB8D4EECBCEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296A74 second address: 296A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296A80 second address: 296AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FB8D4EECBD1h 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007FB8D4EECBC6h 0x00000013 jmp 00007FB8D4EECBD3h 0x00000018 ja 00007FB8D4EECBC6h 0x0000001e push esi 0x0000001f pop esi 0x00000020 popad 0x00000021 jnp 00007FB8D4EECBC8h 0x00000027 pushad 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296BE8 second address: 296BEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296BEE second address: 296C13 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8D4EECBD1h 0x00000008 push ecx 0x00000009 jmp 00007FB8D4EECBCFh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296D6C second address: 296D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE07h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296D87 second address: 296DA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 258898 second address: 25889C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 297E4A second address: 297E4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 297E4F second address: 297E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 29AB03 second address: 29AB09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 29B043 second address: 29B047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 29B047 second address: 29B04D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2999DA second address: 2999E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 29B15A second address: 29B164 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB8D4EECBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A2C97 second address: 2A2C9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A2C9D second address: 2A2CA3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A2CA3 second address: 2A2CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A2CAD second address: 2A2CB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A2CB3 second address: 2A2CB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A20EB second address: 2A20F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A20F1 second address: 2A2113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FB8D4BFEE11h 0x0000000b jmp 00007FB8D4BFEE05h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A23BD second address: 2A23C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A23C2 second address: 2A23D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEDFDh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A23D5 second address: 2A23D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A255B second address: 2A2560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A4963 second address: 2A498A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FB8D4EECBD0h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jng 00007FB8D4EECBD0h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A4E0A second address: 2A4E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A58C8 second address: 2A58EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FB8D4EECBD1h 0x0000000c jmp 00007FB8D4EECBCBh 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 je 00007FB8D4EECBC8h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A58EE second address: 2A58F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A59BA second address: 2A59C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A5BFE second address: 2A5C69 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FB8D4BFEDF6h 0x0000000d jmp 00007FB8D4BFEE05h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 pushad 0x00000017 jmp 00007FB8D4BFEE02h 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e popad 0x0000001f push ebx 0x00000020 pushad 0x00000021 popad 0x00000022 pop ebx 0x00000023 popad 0x00000024 nop 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007FB8D4BFEDF8h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f pushad 0x00000040 stc 0x00000041 popad 0x00000042 xchg eax, ebx 0x00000043 pushad 0x00000044 pushad 0x00000045 push edx 0x00000046 pop edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A5C69 second address: 2A5C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB8D4EECBCEh 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A889C second address: 2A88A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A85D3 second address: 2A85DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A85DC second address: 2A85E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A85E0 second address: 2A85EE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A85EE second address: 2A85F8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A912B second address: 2A9130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A93A2 second address: 2A93A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9130 second address: 2A9157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBCAh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FB8D4EECBD1h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A93A6 second address: 2A93CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FB8D4BFEE04h 0x00000012 jc 00007FB8D4BFEDFCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A93CF second address: 2A943C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov dword ptr [ebp+12455A8Dh], eax 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+122D188Bh], ebx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FB8D4EECBC8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 xchg eax, ebx 0x00000031 pushad 0x00000032 pushad 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 pushad 0x00000039 jmp 00007FB8D4EECBD6h 0x0000003e push eax 0x0000003f pop eax 0x00000040 popad 0x00000041 popad 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FB8D4EECBCCh 0x0000004a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9EAD second address: 2A9EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9C59 second address: 2A9C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9EB1 second address: 2A9EC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FB8D4BFEDFCh 0x00000010 jns 00007FB8D4BFEDF6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9C5D second address: 2A9C66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9EC7 second address: 2A9ECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9ECD second address: 2A9ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AAA4D second address: 2AAA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AAA51 second address: 2AAA67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AAA67 second address: 2AAA93 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB8D4BFEDFAh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB8D4BFEE09h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AAB25 second address: 2AAB2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AE1A5 second address: 2AE1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AE75E second address: 2AE7EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8D4EECBD9h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e call 00007FB8D4EECBCFh 0x00000013 or di, 4549h 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FB8D4EECBC8h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 adc bh, FFFFFFC7h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007FB8D4EECBC8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 0000001Bh 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 xchg eax, esi 0x00000055 push eax 0x00000056 push edx 0x00000057 jne 00007FB8D4EECBCCh 0x0000005d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AE7EB second address: 2AE7F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AE7F0 second address: 2AE817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB8D4EECBD9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AE817 second address: 2AE82C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AFAA6 second address: 2AFAAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AEA7B second address: 2AEA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AEA7F second address: 2AEA85 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B19C2 second address: 2B1A3F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8D4BFEDFEh 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FB8D4BFEE00h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FB8D4BFEDF8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov ebx, esi 0x0000002f push 00000000h 0x00000031 mov edi, dword ptr [ebp+122D1A1Ah] 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007FB8D4BFEDF8h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 00000018h 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 mov ebx, edi 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B0C87 second address: 2B0C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B1A3F second address: 2B1A45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B1A45 second address: 2B1A6C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FB8D4EECBD3h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB8D4EECBCAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B3BA7 second address: 2B3BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB8D4BFEDF6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B2C9D second address: 2B2CA7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8D4EECBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B2CA7 second address: 2B2D86 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB8D4BFEDF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jg 00007FB8D4BFEE00h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007FB8D4BFEDF8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e mov ebx, dword ptr [ebp+122D289Ch] 0x00000034 push dword ptr fs:[00000000h] 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007FB8D4BFEDF8h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 00000015h 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 jmp 00007FB8D4BFEE03h 0x0000005a mov dword ptr fs:[00000000h], esp 0x00000061 xor dword ptr [ebp+122D21ABh], edx 0x00000067 mov eax, dword ptr [ebp+122D02DDh] 0x0000006d call 00007FB8D4BFEE07h 0x00000072 mov dword ptr [ebp+122D1871h], edi 0x00000078 pop ebx 0x00000079 push FFFFFFFFh 0x0000007b mov edi, 655DF01Dh 0x00000080 push eax 0x00000081 pushad 0x00000082 jmp 00007FB8D4BFEE07h 0x00000087 push eax 0x00000088 push edx 0x00000089 jmp 00007FB8D4BFEDFFh 0x0000008e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B3CCA second address: 2B3CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B2D86 second address: 2B2D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B4BB4 second address: 2B4BB9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B3CCE second address: 2B3CD8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B3CD8 second address: 2B3CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBD8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B3CF4 second address: 2B3D94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop ecx 0x00000011 jg 00007FB8D4BFEDFCh 0x00000017 popad 0x00000018 nop 0x00000019 cld 0x0000001a push dword ptr fs:[00000000h] 0x00000021 push esi 0x00000022 xor dword ptr [ebp+122D1C4Bh], ebx 0x00000028 pop edi 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007FB8D4BFEDF8h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov edi, ebx 0x0000004c mov eax, dword ptr [ebp+122D08ADh] 0x00000052 call 00007FB8D4BFEDFFh 0x00000057 pushad 0x00000058 adc ecx, 6622303Ah 0x0000005e add cl, FFFFFFABh 0x00000061 popad 0x00000062 pop edi 0x00000063 push FFFFFFFFh 0x00000065 nop 0x00000066 jmp 00007FB8D4BFEE01h 0x0000006b push eax 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f js 00007FB8D4BFEDF6h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B78BF second address: 2B78C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B8705 second address: 2B876B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FB8D4BFEDF8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov edi, dword ptr [ebp+122D26FAh] 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+12484C59h], edx 0x00000036 xchg eax, esi 0x00000037 pushad 0x00000038 push ebx 0x00000039 jmp 00007FB8D4BFEE05h 0x0000003e pop ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 jne 00007FB8D4BFEDF6h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B876B second address: 2B8783 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4EECBCDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B8783 second address: 2B878C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B878C second address: 2B8792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B5BA1 second address: 2B5BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B5BA7 second address: 2B5C4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e movzx edi, si 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FB8D4EECBC8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D1B0Ch], edi 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov edi, dword ptr [ebp+1245A27Dh] 0x00000045 mov eax, dword ptr [ebp+122D0819h] 0x0000004b push 00000000h 0x0000004d push esi 0x0000004e call 00007FB8D4EECBC8h 0x00000053 pop esi 0x00000054 mov dword ptr [esp+04h], esi 0x00000058 add dword ptr [esp+04h], 00000014h 0x00000060 inc esi 0x00000061 push esi 0x00000062 ret 0x00000063 pop esi 0x00000064 ret 0x00000065 mov dword ptr [ebp+122D2674h], edi 0x0000006b push FFFFFFFFh 0x0000006d pushad 0x0000006e and edi, 6A3909F2h 0x00000074 mov ah, bl 0x00000076 popad 0x00000077 mov ebx, dword ptr [ebp+122DB530h] 0x0000007d nop 0x0000007e js 00007FB8D4EECBD0h 0x00000084 push eax 0x00000085 push edx 0x00000086 pushad 0x00000087 popad 0x00000088 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2BA4F2 second address: 2BA4F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2BA4F6 second address: 2BA53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FB8D4EECBC8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov edi, 3193D034h 0x00000029 push 00000000h 0x0000002b mov di, E4D5h 0x0000002f push 00000000h 0x00000031 mov bx, ax 0x00000034 mov dword ptr [ebp+1245688Dh], esi 0x0000003a xchg eax, esi 0x0000003b push edi 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B7A2D second address: 2B7A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B7A31 second address: 2B7A35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B7A35 second address: 2B7ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 mov ebx, dword ptr [ebp+122D2AA0h] 0x0000000e jmp 00007FB8D4BFEE08h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov dword ptr [ebp+12452CEBh], eax 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 adc edi, 178A07E2h 0x0000002d mov eax, dword ptr [ebp+122D0F61h] 0x00000033 mov dword ptr [ebp+1245A351h], esi 0x00000039 push FFFFFFFFh 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007FB8D4BFEDF8h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 0000001Ch 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 mov edi, dword ptr [ebp+122D18D0h] 0x0000005b mov ebx, 2050BF5Eh 0x00000060 push eax 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FB8D4BFEE05h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B7ACB second address: 2B7ACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2BC565 second address: 2BC56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2BD4C9 second address: 2BD54F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8D4EECBC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d jno 00007FB8D4EECBC6h 0x00000013 pop eax 0x00000014 pop ebx 0x00000015 nop 0x00000016 mov bx, si 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 movsx edi, dx 0x0000002a mov eax, dword ptr [ebp+122D130Dh] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007FB8D4EECBC8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push ebx 0x0000004f call 00007FB8D4EECBC8h 0x00000054 pop ebx 0x00000055 mov dword ptr [esp+04h], ebx 0x00000059 add dword ptr [esp+04h], 00000017h 0x00000061 inc ebx 0x00000062 push ebx 0x00000063 ret 0x00000064 pop ebx 0x00000065 ret 0x00000066 or ebx, dword ptr [ebp+122D2848h] 0x0000006c push eax 0x0000006d pushad 0x0000006e push edi 0x0000006f jbe 00007FB8D4EECBC6h 0x00000075 pop edi 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C6106 second address: 2C615B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFEh 0x00000007 push edx 0x00000008 je 00007FB8D4BFEDF6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007FB8D4BFEE06h 0x0000001b jmp 00007FB8D4BFEE00h 0x00000020 push eax 0x00000021 push edx 0x00000022 jp 00007FB8D4BFEDF6h 0x00000028 jmp 00007FB8D4BFEE09h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C615B second address: 2C615F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C615F second address: 2C616B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB8D4BFEDF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C616B second address: 2C6175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB8D4EECBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C92CD second address: 2C92E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d jl 00007FB8D4BFEDFCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C92E2 second address: 2C9341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a jo 00007FB8D4EECBC8h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007FB8D4EECBD4h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f jmp 00007FB8D4EECBD5h 0x00000024 jmp 00007FB8D4EECBCBh 0x00000029 popad 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FB8D4EECBCAh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C9341 second address: 2C9346 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C93EE second address: 2C93F8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB8D4EECBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C93F8 second address: 2C9456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FB8D4BFEE00h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jc 00007FB8D4BFEDFEh 0x00000014 jbe 00007FB8D4BFEDF8h 0x0000001a pushad 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 jmp 00007FB8D4BFEE09h 0x00000025 mov eax, dword ptr [eax] 0x00000027 jmp 00007FB8D4BFEE00h 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 push edx 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C9456 second address: 2C945C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C951A second address: F2A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 xor dword ptr [esp], 18CCEA61h 0x0000000c jmp 00007FB8D4BFEDFBh 0x00000011 push dword ptr [ebp+122D0199h] 0x00000017 stc 0x00000018 call dword ptr [ebp+122D2D5Eh] 0x0000001e pushad 0x0000001f stc 0x00000020 xor eax, eax 0x00000022 or dword ptr [ebp+122D2573h], ecx 0x00000028 mov edx, dword ptr [esp+28h] 0x0000002c xor dword ptr [ebp+122D27B2h], edi 0x00000032 mov dword ptr [ebp+122D2A80h], eax 0x00000038 jp 00007FB8D4BFEE0Ah 0x0000003e jmp 00007FB8D4BFEE02h 0x00000043 mov esi, 0000003Ch 0x00000048 mov dword ptr [ebp+122D27B2h], ebx 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 pushad 0x00000053 xor si, C950h 0x00000058 mov ebx, 0AF191DCh 0x0000005d popad 0x0000005e lodsw 0x00000060 sub dword ptr [ebp+122D27B2h], eax 0x00000066 jo 00007FB8D4BFEE07h 0x0000006c jmp 00007FB8D4BFEE01h 0x00000071 add eax, dword ptr [esp+24h] 0x00000075 clc 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a jmp 00007FB8D4BFEE05h 0x0000007f nop 0x00000080 push edx 0x00000081 push ecx 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 267A6C second address: 267A72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 267A72 second address: 267A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FB8D4BFEE02h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D236C second address: 2D2372 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D25F1 second address: 2D2600 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007FB8D4BFEDF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2600 second address: 2D260A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2761 second address: 2D2779 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FB8D4BFEDFDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2B99 second address: 2D2BA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2BA0 second address: 2D2BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2D41 second address: 2D2D4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FB8D4EECBC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2E95 second address: 2D2E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2E99 second address: 2D2E9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D8765 second address: 2D8769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D8769 second address: 2D877B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBCCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D74FB second address: 2D74FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D76AC second address: 2D76D8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8D4EECBC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB8D4EECBD3h 0x00000011 jp 00007FB8D4EECBC8h 0x00000017 popad 0x00000018 push ebx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D76D8 second address: 2D76FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB8D4BFEDF6h 0x0000000a jmp 00007FB8D4BFEE05h 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D7835 second address: 2D783B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D783B second address: 2D7847 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D7847 second address: 2D785A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBCDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D7CC8 second address: 2D7CD8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FB8D4BFEDFEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D7CD8 second address: 2D7CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D8603 second address: 2D8607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2DE1B4 second address: 2DE1C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FB8D4EECBC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2DE1C4 second address: 2DE1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AC84F second address: 2AC853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AC853 second address: 2AC86B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AC86B second address: 2AC8E0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB8D4EECBC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FB8D4EECBC8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 pushad 0x00000028 mov ebx, 79F4087Ah 0x0000002d mov bl, D7h 0x0000002f popad 0x00000030 mov ecx, ebx 0x00000032 lea eax, dword ptr [ebp+1248D5C7h] 0x00000038 mov dword ptr [ebp+12467CE4h], edi 0x0000003e nop 0x0000003f jng 00007FB8D4EECBD4h 0x00000045 jmp 00007FB8D4EECBCEh 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007FB8D4EECBD3h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ACFDA second address: 2ACFDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ACFDE second address: 2ACFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d pop edi 0x0000000e xchg eax, esi 0x0000000f add dx, 8227h 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 jno 00007FB8D4EECBC6h 0x0000001e pop esi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ACFFD second address: 2AD014 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB8D4BFEDF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jc 00007FB8D4BFEDF6h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AD1D3 second address: 2AD1D8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA12 second address: 2ADA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB8D4BFEDF6h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA23 second address: 2ADA4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4EECBCEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA4B second address: 2ADA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA4F second address: 2ADA6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov ecx, dword ptr [ebp+122D1B5Ch] 0x0000000e lea eax, dword ptr [ebp+1248D60Bh] 0x00000014 adc cx, 52E6h 0x00000019 push eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA6E second address: 2ADA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA72 second address: 2ADA8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA8A second address: 28FE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FB8D4BFEDF8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D19E1h], esi 0x00000029 lea eax, dword ptr [ebp+1248D5C7h] 0x0000002f sub dword ptr [ebp+1245EC06h], edx 0x00000035 nop 0x00000036 jmp 00007FB8D4BFEE09h 0x0000003b push eax 0x0000003c ja 00007FB8D4BFEE06h 0x00000042 nop 0x00000043 movsx edi, ax 0x00000046 call dword ptr [ebp+122D2D7Bh] 0x0000004c push eax 0x0000004d push edx 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 pop edx 0x00000052 jmp 00007FB8D4BFEE04h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1B03 second address: 2E1B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1B09 second address: 2E1B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1B0D second address: 2E1B2F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8D4EECBCEh 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FB8D4EECBCCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1B2F second address: 2E1B40 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8D4BFEDFCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1E22 second address: 2E1E31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnc 00007FB8D4EECBC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1E31 second address: 2E1E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007FB8D4BFEDFCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1FDE second address: 2E1FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E95ED second address: 2E95F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E989C second address: 2E98AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBCAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E98AA second address: 2E98F0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FB8D4BFEDFEh 0x0000000c jmp 00007FB8D4BFEE07h 0x00000011 push eax 0x00000012 jmp 00007FB8D4BFEE08h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E9E7D second address: 2E9E81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2EA2B4 second address: 2EA2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 26436C second address: 264372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ED990 second address: 2ED99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ED99A second address: 2ED9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ED9A4 second address: 2ED9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2EFC2F second address: 2EFC39 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4CB5 second address: 2F4CD3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8D4BFEE04h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FB8D4BFEDFCh 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007FB8D4BFEDF6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4039 second address: 2F403E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F403E second address: 2F4059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE07h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4211 second address: 2F4233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8D4EECBD9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4233 second address: 2F423F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F423F second address: 2F4243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4243 second address: 2F424C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F439C second address: 2F43A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB8D4EECBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F43A6 second address: 2F43BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FB8D4BFEDF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F43BA second address: 2F43BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4568 second address: 2F456C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F482F second address: 2F4847 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F99BC second address: 2F99C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9C5F second address: 2F9C71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8D4EECBCCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9C71 second address: 2F9C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB8D4BFEDF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9C7D second address: 2F9C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9C81 second address: 2F9C85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9C85 second address: 2F9CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB8D4EECBD9h 0x0000000e jmp 00007FB8D4EECBCEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9DEA second address: 2F9E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jns 00007FB8D4BFEDF6h 0x0000000f pop ebx 0x00000010 popad 0x00000011 jg 00007FB8D4BFEE10h 0x00000017 jg 00007FB8D4BFEDFCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9E09 second address: 2F9E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8D4EECBCEh 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9F68 second address: 2F9F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FA0BD second address: 2FA0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FA0C3 second address: 2FA0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FB8D4BFEE08h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AD549 second address: 2AD584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007FB8D4EECBD2h 0x00000011 nop 0x00000012 mov ecx, eax 0x00000014 call 00007FB8D4EECBCAh 0x00000019 mov ecx, 65CA761Eh 0x0000001e pop ecx 0x0000001f push 00000004h 0x00000021 adc ch, FFFFFFBCh 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AD584 second address: 2AD58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AD58B second address: 2AD5B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jne 00007FB8D4EECBCCh 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FDD8A second address: 2FDD98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 jc 00007FB8D4BFEE02h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FDD98 second address: 2FDDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8D4EECBC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007FB8D4EECC02h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB8D4EECBCCh 0x00000019 jns 00007FB8D4EECBC6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FDDBE second address: 2FDDC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FDDC2 second address: 2FDDDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB8D4EECBD0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FDDDC second address: 2FDDE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FD513 second address: 2FD517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FD517 second address: 2FD523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FD523 second address: 2FD53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBD3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 304FA4 second address: 304FB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFAh 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3030C8 second address: 3030D4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB8D4EECBC6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 30353A second address: 303555 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FB8D4BFEDF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007FB8D4BFEDFAh 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 303555 second address: 303589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBCEh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FB8D4EECBDEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 303E87 second address: 303E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8D4BFEDFBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 303E99 second address: 303EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8D4EECBCBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 304C41 second address: 304C67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE07h 0x00000007 jmp 00007FB8D4BFEDFBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 304C67 second address: 304C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FB8D4EECBC6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jmp 00007FB8D4EECBCFh 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 30939C second address: 3093A6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 265F07 second address: 265F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 265F0B second address: 265F39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE03h 0x00000007 jmp 00007FB8D4BFEE07h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 31603F second address: 31605A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 31605A second address: 31606D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8D4BFEDFBh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 31646D second address: 3164A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FB8D4EECBD4h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 316649 second address: 316653 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB8D4BFEE02h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 316653 second address: 316659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 316659 second address: 316669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FB8D4BFEE12h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 316669 second address: 316677 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FB8D4EECBD2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3167FF second address: 316818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB8D4BFEE00h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 31761E second address: 317649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCFh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBD4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 315509 second address: 315528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB8D4BFEDF6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4BFEE00h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 31AB0F second address: 31AB1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 320B40 second address: 320B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 320B44 second address: 320B6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD2h 0x00000007 ja 00007FB8D4EECBC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jne 00007FB8D4EECBC6h 0x00000016 jo 00007FB8D4EECBC6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 320B6F second address: 320B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8D4BFEDFEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3208A4 second address: 3208B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FB8D4EECBCCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32F25E second address: 32F262 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32F262 second address: 32F26C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32F26C second address: 32F270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32EB84 second address: 32EB88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32EB88 second address: 32EB9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8D4BFEDFFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32ED36 second address: 32ED41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8D4EECBC6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32ED41 second address: 32ED5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE07h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 332051 second address: 332055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 25F31B second address: 25F334 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8D4BFEE00h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 25F334 second address: 25F341 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB8D4EECBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 331EE1 second address: 331EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 331EE5 second address: 331EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 331EE9 second address: 331F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4BFEE08h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3355BF second address: 3355D1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jbe 00007FB8D4EECBC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3355D1 second address: 3355E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FB8D4BFEDFAh 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 33DF3E second address: 33DF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 342D22 second address: 342D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 342D28 second address: 342D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 256E38 second address: 256E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4BFEDFEh 0x00000009 popad 0x0000000a jns 00007FB8D4BFEDFEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 js 00007FB8D4BFEDF6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 342BC8 second address: 342BEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 js 00007FB8D4EECBC6h 0x0000000b jmp 00007FB8D4EECBD3h 0x00000010 popad 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3442BC second address: 3442C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3442C2 second address: 3442C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3442C8 second address: 3442D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 346C24 second address: 346C4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB8D4EECBD4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 351071 second address: 35108B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE06h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 35108B second address: 35108F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 35108F second address: 3510AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4BFEE02h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3510AB second address: 3510AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 34FB97 second address: 34FB9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 34FB9B second address: 34FBAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB8D4EECBC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 34FFE5 second address: 34FFEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 35013C second address: 350147 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 355E0B second address: 355E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 357837 second address: 35783B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 35783B second address: 357841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 357841 second address: 35784B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FB8D4EECBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 357984 second address: 357993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FB8D4BFEDF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38D75A second address: 38D75F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38C94A second address: 38C94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38C94E second address: 38C954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38CF9C second address: 38CFBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FB8D4BFEE02h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38CFBB second address: 38CFCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FB8D4EECBC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38CFCA second address: 38CFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38D2BF second address: 38D2D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB8D4EECBCEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38D2D7 second address: 38D2F4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8D4BFEDFFh 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38D2F4 second address: 38D30C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB8D4EECBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007FB8D4EECBC6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 39174B second address: 39174F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 39174F second address: 391755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3917C9 second address: 3917E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push ecx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391A13 second address: 391A80 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007FB8D4EECBC6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f and edx, dword ptr [ebp+122D25DBh] 0x00000015 push 00000004h 0x00000017 push edi 0x00000018 stc 0x00000019 pop edx 0x0000001a call 00007FB8D4EECBC9h 0x0000001f jmp 00007FB8D4EECBD9h 0x00000024 push eax 0x00000025 jmp 00007FB8D4EECBD3h 0x0000002a mov eax, dword ptr [esp+04h] 0x0000002e jne 00007FB8D4EECBD1h 0x00000034 mov eax, dword ptr [eax] 0x00000036 pushad 0x00000037 pushad 0x00000038 pushad 0x00000039 popad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391A80 second address: 391A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FB8D4BFEDF6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391A8D second address: 391AB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jng 00007FB8D4EECBE9h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB8D4EECBD7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391CFD second address: 391D0B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391D0B second address: 391D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391D0F second address: 391D40 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edx, dword ptr [ebp+122D2B0Ch] 0x00000014 push dword ptr [ebp+122D27A4h] 0x0000001a pushad 0x0000001b mov edi, dword ptr [ebp+122D2AE4h] 0x00000021 mov dword ptr [ebp+122D1C01h], edi 0x00000027 popad 0x00000028 push AD5866B3h 0x0000002d push edi 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0DC3 second address: 49F0DC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A4078A second address: 4A407B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB8D4BFEE01h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A407B2 second address: 4A407FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FB8D4EECBCFh 0x0000000b jmp 00007FB8D4EECBD3h 0x00000010 popfd 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 mov dx, cx 0x00000018 pushad 0x00000019 jmp 00007FB8D4EECBCEh 0x0000001e mov esi, 4A2A2F01h 0x00000023 popad 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A407FF second address: 4A40818 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49B0C10 second address: 49B0C2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49B0C2B second address: 49B0C74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movzx eax, bx 0x0000000d pushfd 0x0000000e jmp 00007FB8D4BFEE09h 0x00000013 jmp 00007FB8D4BFEDFBh 0x00000018 popfd 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov edx, eax 0x00000020 jmp 00007FB8D4BFEDFEh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49B0C74 second address: 49B0D1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBCDh 0x00000009 add cx, 1C46h 0x0000000e jmp 00007FB8D4EECBD1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 movzx ecx, dx 0x0000001c mov di, 80FCh 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FB8D4EECBD1h 0x0000002a sub eax, 1C4B5456h 0x00000030 jmp 00007FB8D4EECBD1h 0x00000035 popfd 0x00000036 pushfd 0x00000037 jmp 00007FB8D4EECBD0h 0x0000003c adc esi, 44C98E78h 0x00000042 jmp 00007FB8D4EECBCBh 0x00000047 popfd 0x00000048 popad 0x00000049 push dword ptr [ebp+04h] 0x0000004c pushad 0x0000004d pushad 0x0000004e jmp 00007FB8D4EECBD2h 0x00000053 popad 0x00000054 mov bh, ah 0x00000056 popad 0x00000057 push dword ptr [ebp+0Ch] 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49B0D1E second address: 49B0D30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49B0D30 second address: 49B0D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8D4EECBD1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0A7E second address: 49F0A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0A86 second address: 49F0A9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 107Ch 0x00000007 movsx ebx, si 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ecx, edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0A9A second address: 49F0AC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, E4h 0x00000005 movsx ebx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB8D4BFEDFCh 0x00000015 adc ch, FFFFFFF8h 0x00000018 jmp 00007FB8D4BFEDFBh 0x0000001d popfd 0x0000001e movzx ecx, di 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0AC9 second address: 49F0ACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E09CD second address: 49E09D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E09D3 second address: 49E09E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E09E4 second address: 49E0A50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e movzx esi, di 0x00000011 pushfd 0x00000012 jmp 00007FB8D4BFEE09h 0x00000017 adc cx, 0CC6h 0x0000001c jmp 00007FB8D4BFEE01h 0x00000021 popfd 0x00000022 popad 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FB8D4BFEE08h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E0A50 second address: 49E0A5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E0A5F second address: 49E0A65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E0A65 second address: 49E0A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30E64 second address: 4A30E68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30E68 second address: 4A30E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30E6E second address: 4A30E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30E74 second address: 4A30E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30E78 second address: 4A30EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b jmp 00007FB8D4BFEE02h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007FB8D4BFEE00h 0x00000018 adc esi, 01C0C198h 0x0000001e jmp 00007FB8D4BFEDFBh 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30EBA second address: 4A30EF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBD7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B33 second address: 49F0B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B45 second address: 49F0B4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B4B second address: 49F0B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B4F second address: 49F0B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B5E second address: 49F0B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B62 second address: 49F0B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B68 second address: 49F0B6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B6E second address: 49F0B91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FB8D4EECBD0h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B91 second address: 49F0B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B95 second address: 49F0BB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0BB2 second address: 49F0C23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB8D4BFEE03h 0x00000013 add esi, 5DB726AEh 0x00000019 jmp 00007FB8D4BFEE09h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FB8D4BFEE00h 0x00000025 add ecx, 6ECEE028h 0x0000002b jmp 00007FB8D4BFEDFBh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A4029F second address: 4A402AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A402AE second address: 4A402B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A402B4 second address: 4A402B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A402B8 second address: 4A40321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d call 00007FB8D4BFEDFFh 0x00000012 pushfd 0x00000013 jmp 00007FB8D4BFEE08h 0x00000018 or eax, 36307F58h 0x0000001e jmp 00007FB8D4BFEDFBh 0x00000023 popfd 0x00000024 pop eax 0x00000025 call 00007FB8D4BFEE09h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A40321 second address: 4A403A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 call 00007FB8D4EECBD3h 0x0000000d pushfd 0x0000000e jmp 00007FB8D4EECBD8h 0x00000013 xor eax, 3879E348h 0x00000019 jmp 00007FB8D4EECBCBh 0x0000001e popfd 0x0000001f pop eax 0x00000020 jmp 00007FB8D4EECBD9h 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 jmp 00007FB8D4EECBCEh 0x0000002d mov eax, dword ptr [ebp+08h] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FB8D4EECBCAh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A403A3 second address: 4A403A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A403A9 second address: 4A403F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 call 00007FB8D4EECBD3h 0x00000015 movzx eax, bx 0x00000018 pop edi 0x00000019 popad 0x0000001a and dword ptr [eax+04h], 00000000h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB8D4EECBD7h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A403F7 second address: 4A403FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A403FF second address: 4A4040D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A4040D second address: 4A40411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A40411 second address: 4A40415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A40415 second address: 4A4041B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A4041B second address: 4A4042D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBCEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A4042D second address: 4A40431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E086F second address: 49E08E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 pushfd 0x00000007 jmp 00007FB8D4EECBD3h 0x0000000c adc al, 0000007Eh 0x0000000f jmp 00007FB8D4EECBD9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FB8D4EECBCEh 0x0000001e push eax 0x0000001f pushad 0x00000020 call 00007FB8D4EECBCCh 0x00000025 mov dl, cl 0x00000027 pop edi 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FB8D4EECBD4h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E08E3 second address: 49E08F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307A6 second address: 4A307AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307AD second address: 4A307C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov dx, D90Ch 0x0000000f mov edx, 4DDC79F8h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307C2 second address: 4A307D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307D3 second address: 4A307D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307D7 second address: 4A307F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4EECBD3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307F5 second address: 4A307FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307FB second address: 4A30810 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4EECBCAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30810 second address: 4A30816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30816 second address: 4A3081A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3081A second address: 4A3081E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A10DF3 second address: 4A10DF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0113 second address: 49C0117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0117 second address: 49C012A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C012A second address: 49C0130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0130 second address: 49C0134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0134 second address: 49C0167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx ecx, bx 0x0000000d pushad 0x0000000e mov ecx, edi 0x00000010 mov eax, edi 0x00000012 popad 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007FB8D4BFEDFDh 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB8D4BFEDFDh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0167 second address: 49C0185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0185 second address: 49C0189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0189 second address: 49C018D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C018D second address: 49C0193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0193 second address: 49C01C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov cl, A3h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b jmp 00007FB8D4EECBD6h 0x00000010 mov dword ptr [esp], ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB8D4EECBCCh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C01C6 second address: 49C0232 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB8D4BFEE02h 0x00000008 or al, 00000078h 0x0000000b jmp 00007FB8D4BFEDFBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 mov dl, 18h 0x00000016 pop ecx 0x00000017 popad 0x00000018 push ebx 0x00000019 pushad 0x0000001a mov eax, 194A2AF9h 0x0000001f popad 0x00000020 mov dword ptr [esp], ebx 0x00000023 pushad 0x00000024 movzx eax, dx 0x00000027 pushfd 0x00000028 jmp 00007FB8D4BFEE03h 0x0000002d jmp 00007FB8D4BFEE03h 0x00000032 popfd 0x00000033 popad 0x00000034 mov ebx, dword ptr [ebp+10h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0232 second address: 49C0238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0238 second address: 49C023E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C023E second address: 49C0242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0242 second address: 49C0251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0251 second address: 49C0255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0255 second address: 49C0272 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0272 second address: 49C02B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB8D4EECBD1h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB8D4EECBD8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C02B6 second address: 49C02C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C02C5 second address: 49C032E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007FB8D4EECBCEh 0x00000011 xchg eax, edi 0x00000012 jmp 00007FB8D4EECBD0h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FB8D4EECBCCh 0x00000021 jmp 00007FB8D4EECBD5h 0x00000026 popfd 0x00000027 mov edx, esi 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C032E second address: 49C0346 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0346 second address: 49C034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C034A second address: 49C0350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0350 second address: 49C03A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov di, si 0x0000000f mov ch, AFh 0x00000011 popad 0x00000012 je 00007FB94828AE6Ch 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FB8D4EECBCBh 0x0000001f xor ecx, 6E59C4AEh 0x00000025 jmp 00007FB8D4EECBD9h 0x0000002a popfd 0x0000002b push eax 0x0000002c push edx 0x0000002d mov dl, al 0x0000002f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C03A6 second address: 49C03F1 instructions: 0x00000000 rdtsc 0x00000002 mov dh, 32h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FB8D4BFEE07h 0x00000017 adc ecx, 0D3ACF6Eh 0x0000001d jmp 00007FB8D4BFEE09h 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C03F1 second address: 49C03F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0014 second address: 49F001A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F001A second address: 49F001E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F001E second address: 49F0051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FB8D4BFEDFEh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB8D4BFEDFEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0051 second address: 49F0057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0057 second address: 49F005B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F005B second address: 49F006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F006A second address: 49F0070 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0070 second address: 49F00C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FB8D4EECBCEh 0x00000010 and esp, FFFFFFF8h 0x00000013 jmp 00007FB8D4EECBD0h 0x00000018 xchg eax, ebx 0x00000019 jmp 00007FB8D4EECBD0h 0x0000001e push eax 0x0000001f jmp 00007FB8D4EECBCBh 0x00000024 xchg eax, ebx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F00C7 second address: 49F0146 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB8D4BFEDFEh 0x00000008 jmp 00007FB8D4BFEE05h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 mov di, 1222h 0x00000015 pop ebx 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 jmp 00007FB8D4BFEE06h 0x0000001d push eax 0x0000001e pushad 0x0000001f mov ebx, 00679264h 0x00000024 pushfd 0x00000025 jmp 00007FB8D4BFEDFDh 0x0000002a xor cx, 36A6h 0x0000002f jmp 00007FB8D4BFEE01h 0x00000034 popfd 0x00000035 popad 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov ax, di 0x0000003d mov ax, bx 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0146 second address: 49F0161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBD7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0161 second address: 49F017E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4BFEE00h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F017E second address: 49F01BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBD1h 0x00000009 adc cl, FFFFFFC6h 0x0000000c jmp 00007FB8D4EECBD1h 0x00000011 popfd 0x00000012 mov ecx, 1447EB77h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a sub ebx, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ax, 268Bh 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F01BC second address: 49F021F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4BFEDFDh 0x00000009 jmp 00007FB8D4BFEDFBh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007FB8D4BFEE08h 0x00000015 xor ax, B0F8h 0x0000001a jmp 00007FB8D4BFEDFBh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 test esi, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FB8D4BFEE05h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F021F second address: 49F023F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FB948252D20h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F023F second address: 49F0275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FB8D4BFEE09h 0x0000000a xor si, C1A6h 0x0000000f jmp 00007FB8D4BFEE01h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0275 second address: 49F02BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FB8D4EECBCEh 0x00000015 mov ecx, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FB8D4EECBD7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F02BA second address: 49F02D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 3Ch 0x00000005 mov esi, 2AECC497h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007FB947F64ED2h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F02D3 second address: 49F02D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F02D7 second address: 49F02DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F02DD second address: 49F031A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007FB8D4EECBCAh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test byte ptr [77DE6968h], 00000002h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FB8D4EECBCAh 0x0000001e xor ecx, 006AC668h 0x00000024 jmp 00007FB8D4EECBCBh 0x00000029 popfd 0x0000002a mov edx, eax 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F031A second address: 49F032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE00h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F032E second address: 49F0357 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FB948252C46h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edx, esi 0x00000013 call 00007FB8D4EECBD4h 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0357 second address: 49F035D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F035D second address: 49F0361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0361 second address: 49F0365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0365 second address: 49F037B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edx, 655AF896h 0x00000013 push edx 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F04B5 second address: 49F04BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D67 second address: 49D0D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D6B second address: 49D0D6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D6F second address: 49D0D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D75 second address: 49D0D7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D7B second address: 49D0D93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBCBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D93 second address: 49D0D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D99 second address: 49D0D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50EE9 second address: 4A50F36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB8D4BFEDFEh 0x0000000f push eax 0x00000010 jmp 00007FB8D4BFEDFBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB8D4BFEE00h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50F36 second address: 4A50F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50F3A second address: 4A50F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50F40 second address: 4A50F51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50212 second address: 4A50218 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50218 second address: 4A50299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007FB8D4EECBCEh 0x00000010 mov ch, 98h 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FB8D4EECBD3h 0x0000001c or esi, 7E17479Eh 0x00000022 jmp 00007FB8D4EECBD9h 0x00000027 popfd 0x00000028 mov edx, esi 0x0000002a popad 0x0000002b pop ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FB8D4EECBD9h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50299 second address: 4A5029F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E06BE second address: 49E06F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FB8D4EECBD4h 0x00000009 pop eax 0x0000000a popad 0x0000000b popad 0x0000000c push ebp 0x0000000d pushad 0x0000000e call 00007FB8D4EECBD3h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A505D9 second address: 4A505E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A204BD second address: 4A205BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c mov edx, ecx 0x0000000e pop ecx 0x0000000f mov esi, edx 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FB8D4EECBD7h 0x0000001a xor esi, 48122C7Eh 0x00000020 jmp 00007FB8D4EECBD9h 0x00000025 popfd 0x00000026 call 00007FB8D4EECBD0h 0x0000002b pushad 0x0000002c popad 0x0000002d pop eax 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 mov ebx, 69726590h 0x00000037 call 00007FB8D4EECBD9h 0x0000003c mov di, si 0x0000003f pop eax 0x00000040 popad 0x00000041 and esp, FFFFFFF0h 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007FB8D4EECBD4h 0x0000004b jmp 00007FB8D4EECBD5h 0x00000050 popfd 0x00000051 popad 0x00000052 sub esp, 44h 0x00000055 jmp 00007FB8D4EECBCEh 0x0000005a xchg eax, ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e pushfd 0x0000005f jmp 00007FB8D4EECBD9h 0x00000064 jmp 00007FB8D4EECBCBh 0x00000069 popfd 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A205BB second address: 4A205D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A205D3 second address: 4A205D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A205D7 second address: 4A205EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4BFEDFDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A205EF second address: 4A206BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBD7h 0x00000009 and ch, FFFFFFCEh 0x0000000c jmp 00007FB8D4EECBD9h 0x00000011 popfd 0x00000012 jmp 00007FB8D4EECBD0h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c jmp 00007FB8D4EECBCEh 0x00000021 mov bx, cx 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 pushad 0x00000027 mov ch, 45h 0x00000029 push ebx 0x0000002a jmp 00007FB8D4EECBD2h 0x0000002f pop eax 0x00000030 popad 0x00000031 push eax 0x00000032 pushad 0x00000033 call 00007FB8D4EECBCEh 0x00000038 call 00007FB8D4EECBD2h 0x0000003d pop eax 0x0000003e pop edx 0x0000003f mov ecx, 4A39B277h 0x00000044 popad 0x00000045 xchg eax, esi 0x00000046 pushad 0x00000047 pushad 0x00000048 mov esi, 2746AB05h 0x0000004d mov cx, F281h 0x00000051 popad 0x00000052 mov cx, 35BDh 0x00000056 popad 0x00000057 xchg eax, edi 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FB8D4EECBD2h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A206BA second address: 4A206C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A206C9 second address: 4A206E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A206E1 second address: 4A206E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A206E5 second address: 4A206FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4EECBCDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A206FD second address: 4A2072F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB8D4BFEE08h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2072F second address: 4A20735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20735 second address: 4A207BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FB8D4BFEE08h 0x0000000b sbb cx, BA48h 0x00000010 jmp 00007FB8D4BFEDFBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov edi, dword ptr [ebp+08h] 0x0000001c jmp 00007FB8D4BFEE06h 0x00000021 mov dword ptr [esp+24h], 00000000h 0x00000029 jmp 00007FB8D4BFEE00h 0x0000002e lock bts dword ptr [edi], 00000000h 0x00000033 jmp 00007FB8D4BFEE00h 0x00000038 jc 00007FB947EE0A7Ch 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 mov dl, 97h 0x00000043 mov bx, cx 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A207BC second address: 4A207CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBCEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A207CE second address: 4A20801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c jmp 00007FB8D4BFEE06h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov dl, 63h 0x00000017 mov cx, 6355h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20801 second address: 4A20807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20807 second address: 4A2080B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2080B second address: 4A20823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBCBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20823 second address: 4A20840 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20840 second address: 4A20866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBCDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20866 second address: 4A208CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4BFEE07h 0x00000009 or eax, 28F4B22Eh 0x0000000f jmp 00007FB8D4BFEE09h 0x00000014 popfd 0x00000015 jmp 00007FB8D4BFEE00h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB8D4BFEE07h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A200A8 second address: 4A2010B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBD8h 0x00000009 sbb eax, 01A69F68h 0x0000000f jmp 00007FB8D4EECBCBh 0x00000014 popfd 0x00000015 mov ax, 515Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e jmp 00007FB8D4EECBD2h 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB8D4EECBD7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2010B second address: 4A20133 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov ax, 640Fh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20133 second address: 4A20139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20139 second address: 4A2013D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2013D second address: 4A20141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20141 second address: 4A2014F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2014F second address: 4A20159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 0EACBB91h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20159 second address: 4A20218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FB8D4BFEE04h 0x00000011 and al, 00000048h 0x00000014 jmp 00007FB8D4BFEDFBh 0x00000019 popfd 0x0000001a mov edi, ecx 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007FB8D4BFEE05h 0x00000023 xchg eax, esi 0x00000024 pushad 0x00000025 push esi 0x00000026 push ebx 0x00000027 pop eax 0x00000028 pop ebx 0x00000029 pushfd 0x0000002a jmp 00007FB8D4BFEE04h 0x0000002f jmp 00007FB8D4BFEE05h 0x00000034 popfd 0x00000035 popad 0x00000036 mov esi, dword ptr [ebp+08h] 0x00000039 jmp 00007FB8D4BFEDFEh 0x0000003e sub ecx, ecx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007FB8D4BFEDFAh 0x00000049 add si, 4598h 0x0000004e jmp 00007FB8D4BFEDFBh 0x00000053 popfd 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20218 second address: 4A2021E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2021E second address: 4A20222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20222 second address: 4A20231 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, edx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20231 second address: 4A20283 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB8D4BFEE09h 0x0000000f xchg eax, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB8D4BFEE08h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20283 second address: 4A20292 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20292 second address: 4A202BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, 00000001h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov dh, EBh 0x00000013 mov eax, 56FD3ADBh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A202BF second address: 4A202EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [esi], ecx 0x0000000d jmp 00007FB8D4EECBCEh 0x00000012 mov ecx, eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A202EE second address: 4A202F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A202F2 second address: 4A2030F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2030F second address: 4A20332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp ecx, 01h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, CBFEh 0x00000013 movsx edx, si 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20332 second address: 4A20352 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FB9481CEE4Dh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20352 second address: 4A20356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20356 second address: 4A203E2 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB8D4EECBD8h 0x00000008 and esi, 255B9A28h 0x0000000e jmp 00007FB8D4EECBCBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007FB8D4EECBD8h 0x0000001c adc ah, FFFFFF88h 0x0000001f jmp 00007FB8D4EECBCBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edi 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FB8D4EECBCBh 0x00000030 adc ax, 08CEh 0x00000035 jmp 00007FB8D4EECBD9h 0x0000003a popfd 0x0000003b mov ax, 62D7h 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A203E2 second address: 4A203E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A203E8 second address: 4A20402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBCDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20402 second address: 4A20408 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20408 second address: 4A20470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 jmp 00007FB8D4EECBCFh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FB8D4EECBCBh 0x00000018 jmp 00007FB8D4EECBD3h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FB8D4EECBD8h 0x00000024 and eax, 01F41868h 0x0000002a jmp 00007FB8D4EECBCBh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3001F second address: 4A3007C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB8D4BFEE08h 0x00000008 and si, DD98h 0x0000000d jmp 00007FB8D4BFEDFBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FB8D4BFEE04h 0x0000001e xor cx, 07F8h 0x00000023 jmp 00007FB8D4BFEDFBh 0x00000028 popfd 0x00000029 pushad 0x0000002a mov dx, ax 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3007C second address: 4A300D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FB8D4EECBD1h 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 mov edi, eax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 jmp 00007FB8D4EECBD2h 0x0000001b push FFFFFFFEh 0x0000001d pushad 0x0000001e mov cl, 3Eh 0x00000020 jmp 00007FB8D4EECBD3h 0x00000025 popad 0x00000026 call 00007FB8D4EECBC9h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A300D8 second address: 4A300DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A300DC second address: 4A300F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A300F7 second address: 4A300FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A300FD second address: 4A30101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30101 second address: 4A301D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB8D4BFEDFEh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FB8D4BFEE01h 0x00000019 adc cx, 0216h 0x0000001e jmp 00007FB8D4BFEE01h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007FB8D4BFEE00h 0x0000002a or si, 7638h 0x0000002f jmp 00007FB8D4BFEDFBh 0x00000034 popfd 0x00000035 popad 0x00000036 mov eax, dword ptr [eax] 0x00000038 jmp 00007FB8D4BFEE09h 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 pushad 0x00000042 mov di, 4862h 0x00000046 pushfd 0x00000047 jmp 00007FB8D4BFEE03h 0x0000004c add si, 795Eh 0x00000051 jmp 00007FB8D4BFEE09h 0x00000056 popfd 0x00000057 popad 0x00000058 pop eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FB8D4BFEDFDh 0x00000060 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A301D1 second address: 4A30249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBD7h 0x00000009 and ax, B41Eh 0x0000000e jmp 00007FB8D4EECBD9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FB8D4EECBD0h 0x0000001a sub ax, 3A18h 0x0000001f jmp 00007FB8D4EECBCBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 push 2651A557h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FB8D4EECBD2h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30249 second address: 4A3024F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3024F second address: 4A30253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30253 second address: 4A30257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30257 second address: 4A3027A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 518208A9h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop edi 0x00000014 jmp 00007FB8D4EECBCEh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3027A second address: 4A3028C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEDFEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3028C second address: 4A30290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30290 second address: 4A302AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000000h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB8D4BFEDFAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A302AA second address: 4A302BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A302BF second address: 4A30373 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 0FCF4167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, ecx 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FB8D4BFEE09h 0x00000012 nop 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FB8D4BFEDFCh 0x0000001a adc cx, 2DF8h 0x0000001f jmp 00007FB8D4BFEDFBh 0x00000024 popfd 0x00000025 movzx eax, dx 0x00000028 popad 0x00000029 sub esp, 1Ch 0x0000002c jmp 00007FB8D4BFEDFBh 0x00000031 xchg eax, ebx 0x00000032 jmp 00007FB8D4BFEE06h 0x00000037 push eax 0x00000038 jmp 00007FB8D4BFEDFBh 0x0000003d xchg eax, ebx 0x0000003e pushad 0x0000003f mov ax, 711Bh 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007FB8D4BFEDFEh 0x0000004a jmp 00007FB8D4BFEE05h 0x0000004f popfd 0x00000050 mov cx, C9D7h 0x00000054 popad 0x00000055 popad 0x00000056 xchg eax, esi 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30373 second address: 4A30377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30377 second address: 4A3037D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3037D second address: 4A303E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBCCh 0x00000009 adc ch, 00000078h 0x0000000c jmp 00007FB8D4EECBCBh 0x00000011 popfd 0x00000012 push eax 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007FB8D4EECBD5h 0x0000001d xchg eax, esi 0x0000001e jmp 00007FB8D4EECBCEh 0x00000023 xchg eax, edi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB8D4EECBD7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A303E0 second address: 4A3046F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ecx, edi 0x0000000d pushfd 0x0000000e jmp 00007FB8D4BFEE03h 0x00000013 sbb ax, 4F5Eh 0x00000018 jmp 00007FB8D4BFEE09h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, edi 0x00000020 jmp 00007FB8D4BFEDFEh 0x00000025 mov eax, dword ptr [77DEB370h] 0x0000002a jmp 00007FB8D4BFEE00h 0x0000002f xor dword ptr [ebp-08h], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 jmp 00007FB8D4BFEDFDh 0x0000003a push eax 0x0000003b pop edx 0x0000003c popad 0x0000003d rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Special instruction interceptor: First address: F2AAD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Special instruction interceptor: First address: 299824 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: DF2AAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: F99824 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Special instruction interceptor: First address: 5D5D9E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Special instruction interceptor: First address: 5D5C90 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Special instruction interceptor: First address: 786BE6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Special instruction interceptor: First address: 814C5D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Special instruction interceptor: First address: 48FC87 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Special instruction interceptor: First address: 64CBE2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Special instruction interceptor: First address: 6A9DBC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Special instruction interceptor: First address: 98DB7D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Special instruction interceptor: First address: B42DAF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Special instruction interceptor: First address: 98DA9D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Special instruction interceptor: First address: BCBA0B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Special instruction interceptor: First address: AA7DE5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Special instruction interceptor: First address: AB0E9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Special instruction interceptor: First address: 976F4B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Special instruction interceptor: First address: A03AD1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Special instruction interceptor: First address: 994FF7 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Memory allocated: 50D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Memory allocated: 5360000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Memory allocated: 5170000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Code function: 0_2_04A5046D rdtsc

0_2_04A5046D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1230	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1243	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1227	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1236	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window / User API: threadDelayed 3684
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window / User API: threadDelayed 4742
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window / User API: threadDelayed 4618

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341590101\1c2040cc08.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341650101\TbV75ZR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341660101\f73ae_003.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341640101\7IIl2eE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341680101\e051231d4e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7IIl2eE[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\f73ae_003[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\TbV75ZR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\WLbfHbp[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341630101\BIm18E9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\BIm18E9[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341670101\WLbfHbp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341600101\871714e72e.exe	Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe

Registry key enumerated: More than 123 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7020	Thread sleep count: 516 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7020	Thread sleep time: -1032516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6036	Thread sleep count: 1230 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6036	Thread sleep time: -2461230s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5400	Thread sleep count: 254 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5400	Thread sleep time: -7620000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2932	Thread sleep count: 1203 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2932	Thread sleep time: -2407203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5956	Thread sleep count: 1243 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5956	Thread sleep time: -2487243s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5988	Thread sleep count: 1227 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5988	Thread sleep time: -2455227s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2680	Thread sleep count: 1236 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2680	Thread sleep time: -2473236s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 3852	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 3804	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 6112	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 4552	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 5580	Thread sleep time: -60030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 4112	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 5192	Thread sleep time: -58029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 7036	Thread sleep time: -44022s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 596	Thread sleep count: 113 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 596	Thread sleep time: -226113s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 3320	Thread sleep count: 97 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 3320	Thread sleep time: -194097s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1880	Thread sleep count: 107 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1880	Thread sleep time: -214107s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1580	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 332	Thread sleep count: 83 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 332	Thread sleep time: -166083s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 4092	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1936	Thread sleep count: 86 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1936	Thread sleep time: -172086s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 2004	Thread sleep count: 86 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 2004	Thread sleep time: -172086s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 760	Thread sleep count: 95 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 760	Thread sleep time: -190095s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1672	Thread sleep count: 3684 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1672	Thread sleep time: -7371684s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6484	Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6484	Thread sleep time: -140070s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6636	Thread sleep count: 80 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6636	Thread sleep time: -160080s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6552	Thread sleep count: 76 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6552	Thread sleep time: -152076s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 4976	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6524	Thread sleep count: 77 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6524	Thread sleep time: -154077s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 5644	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6496	Thread sleep count: 4742 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6496	Thread sleep time: -9488742s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6464	Thread sleep count: 4618 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6464	Thread sleep time: -9240618s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6596	Thread sleep count: 63 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6596	Thread sleep time: -126063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6668	Thread sleep count: 68 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6668	Thread sleep time: -136068s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe TID: 696	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 3896	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 6360	Thread sleep count: 198 > 30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 6360	Thread sleep time: -1188000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe TID: 7796	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe TID: 8524	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 9112	Thread sleep time: -180000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CF05070 strlen,PR_SetError,strcpy,_mbsdec,strlen,_mbsinc,_mbsinc,FindFirstFileA,GetLastError,

13_2_6CF05070

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CDEEBF0 PR_GetNumberOfProcessors,GetSystemInfo,

13_2_6CDEEBF0

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\	Jump to behavior

Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: 4aa1430779.exe, 0000000E.00000003.1978892837.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2168922742.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000587074.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1565304796.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2043476594.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2191743768.000000000116E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?!
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: 4aa1430779.exe, 4aa1430779.exe, 0000000C.00000003.1545021900.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1440892277.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1978892837.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2168922742.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000587074.000000000116E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000027.00000002.1876711895.000001A33931D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000127A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696497155p
Source: rRYQiGZ4K3.exe, 00000000.00000003.912412127.0000000000B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: firefox.exe, 00000027.00000002.1877453463.000001A339740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7xO
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: rRYQiGZ4K3.exe, 00000000.00000003.912412127.0000000000B43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: rapes.exe, rapes.exe, 00000002.00000002.973644661.0000000000F7D000.00000040.00000001.01000000.00000007.sdmp, 4aa1430779.exe, 0000000C.00000002.1691607917.0000000000764000.00000040.00000001.01000000.0000000B.sdmp, 98f2fbda18.exe, 98f2fbda18.exe, 0000000D.00000002.2054293294.0000000000605000.00000040.00000001.01000000.0000000C.sdmp, 4aa1430779.exe, 0000000E.00000002.2179806377.0000000000764000.00000040.00000001.01000000.0000000B.sdmp, 43a132b865.exe, 00000019.00000002.1829513886.0000000000B18000.00000040.00000001.01000000.0000000E.sdmp, GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000002.1812328994.0000000000A88000.00000040.00000001.01000000.0000000F.sdmp, 98f2fbda18.exe, 00000022.00000002.2118980449.0000000000605000.00000040.00000001.01000000.0000000C.sdmp, b4ba663854.exe, 00000028.00000002.2086596627.0000000000958000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: firefox.exe, 00000027.00000002.1877453463.000001A339740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: firefox.exe, 00000027.00000002.1877453463.000001A339740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly\|q
Source: 4aa1430779.exe, 0000000C.00000002.1694075684.000000000136A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687447852.000000000136A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@^;
Source: 4aa1430779.exe, 0000000E.00000003.2163619372.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000112F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarep
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: rRYQiGZ4K3.exe, 00000000.00000003.912412127.0000000000B43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: firefox.exe, 00000027.00000002.1873927736.000001A338E2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWS
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: rRYQiGZ4K3.exe, 00000000.00000002.939510941.000000000027D000.00000040.00000001.01000000.00000003.sdmp, rapes.exe, 00000001.00000002.961053730.0000000000F7D000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 00000002.00000002.973644661.0000000000F7D000.00000040.00000001.01000000.00000007.sdmp, 4aa1430779.exe, 0000000C.00000002.1691607917.0000000000764000.00000040.00000001.01000000.0000000B.sdmp, 98f2fbda18.exe, 0000000D.00000002.2054293294.0000000000605000.00000040.00000001.01000000.0000000C.sdmp, 4aa1430779.exe, 0000000E.00000002.2179806377.0000000000764000.00000040.00000001.01000000.0000000B.sdmp, 43a132b865.exe, 00000019.00000002.1829513886.0000000000B18000.00000040.00000001.01000000.0000000E.sdmp, GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000002.1812328994.0000000000A88000.00000040.00000001.01000000.0000000F.sdmp, 98f2fbda18.exe, 00000022.00000002.2118980449.0000000000605000.00000040.00000001.01000000.0000000C.sdmp, b4ba663854.exe, 00000028.00000002.2086596627.0000000000958000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: b4ba663854.exe, 00000028.00000003.2067553213.000000000128A000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1990455615.000000000128D000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095070327.000000000128A000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057351254.000000000128A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWA
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Code function: 0_2_04A5046D rdtsc

0_2_04A5046D

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CEBAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

13_2_6CEBAC62

Enables debug privileges

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEBAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_6CEBAC62
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEBB12A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		13_2_6CEBB12A

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 6388, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44F000
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 452000
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 460000
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BAD008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe "C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe "C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe "C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe "C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe "C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe "C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Uses taskkill to terminate processes

Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CF04760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

13_2_6CF04760

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CDE1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

13_2_6CDE1C30

Source: 01f5cbd84e.exe, 00000010.00000002.1780483809.0000000000662000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 4aa1430779.exe, 0000000C.00000002.1692155878.00000000007AA000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: XProgram Manager
Source: 98f2fbda18.exe	Binary or memory string: ZLProgram Manager
Source: 98f2fbda18.exe, 0000000D.00000002.2054293294.0000000000605000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ZLProgram Manager
Source: GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000002.1812328994.0000000000A88000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: Program Manager
Source: rapes.exe, rapes.exe, 00000002.00000002.973644661.0000000000F7D000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: iFProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CEBAE71 cpuid

13_2_6CEBAE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341590101\1c2040cc08.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341590101\1c2040cc08.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341600101\871714e72e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341600101\871714e72e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341610101\4bEpXMZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341610101\4bEpXMZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341630101\BIm18E9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341630101\BIm18E9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341640101\7IIl2eE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341640101\7IIl2eE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341650101\TbV75ZR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341650101\TbV75ZR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341660101\f73ae_003.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341660101\f73ae_003.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341670101\WLbfHbp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341670101\WLbfHbp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341680101\e051231d4e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341680101\e051231d4e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341690101\f59cb4f3ef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341690101\f59cb4f3ef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341700101\e240a344bf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341700101\e240a344bf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341710101\d83a92e1f3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341710101\d83a92e1f3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341720101\4858284b54.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341720101\4858284b54.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CEBA8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

13_2_6CEBA8DC

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CE08390 NSS_GetVersion,

13_2_6CE08390

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

AV process strings found (often used to terminate AV products)

Source: 4aa1430779.exe, 4aa1430779.exe, 0000000C.00000003.1555058525.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687447852.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555396313.00000000013FE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555456425.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694216029.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.000000000139D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042026430.00000000011E4000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2050567285.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1764997721.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.920543610.0000000005580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.969659947.0000000000D81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.939095274.0000000000081000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.960955925.0000000000D81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1294910068.0000000005320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1812105370.0000000000891000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.898483633.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: 01f5cbd84e.exe PID: 3908, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: 50.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.2005385880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2085781376.0000000000771000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2116887692.0000000000241000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1500600561.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2046590109.0000000000241000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1754107339.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 6388, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: Jaxx Desktop (old)
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: file__0.localstorage
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.000000000030C000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: multidoge.wallet
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Searches for user specific document files

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe

Directory queried: number of queries: 2665

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: 01f5cbd84e.exe PID: 3908, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: 50.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.2005385880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2085781376.0000000000771000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2116887692.0000000000241000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1500600561.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2046590109.0000000000241000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1754107339.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 6388, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR

Contains functionality to start a terminal service

Source: rRYQiGZ4K3.exe	String found in binary or memory: net start termservice
Source: rRYQiGZ4K3.exe, 00000000.00000002.939095274.0000000000081000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: rRYQiGZ4K3.exe, 00000000.00000002.939095274.0000000000081000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rRYQiGZ4K3.exe, 00000000.00000003.898483633.0000000004820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rRYQiGZ4K3.exe, 00000000.00000003.898483633.0000000004820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000003.920543610.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000003.920543610.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000001.00000002.960955925.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000002.960955925.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000002.00000002.969659947.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.969659947.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000B.00000003.1294910068.0000000005320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1294910068.0000000005320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000003.1764997721.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000003.1764997721.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000002.1812105370.0000000000891000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: net start termservice
Source: GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000002.1812105370.0000000000891000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC0C40 sqlite3_bind_zeroblob,	13_2_6CEC0C40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC0D60 sqlite3_bind_parameter_name,	13_2_6CEC0D60
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE8EA0 sqlite3_clear_bindings,	13_2_6CDE8EA0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	13_2_6CEC0B40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE6410 bind,WSAGetLastError,	13_2_6CDE6410
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE60B0 listen,WSAGetLastError,	13_2_6CDE60B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDEC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	13_2_6CDEC050
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE6070 PR_Listen,	13_2_6CDE6070
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDEC030 sqlite3_bind_parameter_count,	13_2_6CDEC030
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD722D0 sqlite3_bind_blob,	13_2_6CD722D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE63C0 PR_Bind,	13_2_6CDE63C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE94C0 sqlite3_bind_text,	13_2_6CDE94C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE94F0 sqlite3_bind_text16,	13_2_6CDE94F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE9480 sqlite3_bind_null,	13_2_6CDE9480
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE9400 sqlite3_bind_int64,	13_2_6CDE9400

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.113.115.7	unknown	Russian Federation	49505	SELECTELRU	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
176.113.115.6	unknown	Russian Federation	49505	SELECTELRU	true
45.93.20.28	unknown	Netherlands	174	COGENT-174US	true
107.174.192.179	unknown	United States	36352	AS-COLOCROSSINGUS	false
104.21.64.1	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.80.99	unknown	United States	15169	GOOGLEUS	false
142.250.81.238	unknown	United States	15169	GOOGLEUS	false
104.21.30.96	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.40.110	unknown	United States	15169	GOOGLEUS	false
142.250.81.234	unknown	United States	15169	GOOGLEUS	false
142.251.32.100	unknown	United States	15169	GOOGLEUS	false
142.251.40.174	unknown	United States	15169	GOOGLEUS	false
172.64.80.1	unknown	United States	13335	CLOUDFLARENETUS	false
35.190.72.216	unknown	United States	15169	GOOGLEUS	false
142.251.41.3	unknown	United States	15169	GOOGLEUS	false
142.250.31.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.9
127.0.0.1

Contacted URLs

Name	Malicious	Reputation
targett.top/dsANGt	false	high
triplooqp.world/APowko	false	high
touvrlane.bet/ASKwjq	false	high
travewlio.shop/ZNxbHi	false	high
esccapewz.run/ANSbwqy	false	high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rRYQiGZ4K3.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://45.93.20.28/85a1cacf11314eb8.phpI)6S	Avira URL Cloud: Label: malware
Source: https://advennture.top/1q	Avira URL Cloud: Label: malware
Source: https://advennture.top:443/GKsiio	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.php;	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpG	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpB	Avira URL Cloud: Label: malware
Source: https://wxayfarer.live:443/ALosnz	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/freebl3.dllBZ	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.php)	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.php;)	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dlllet	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpslh	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dllll	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dllQ)	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpowser	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.php5a1cacf11314eb8.php	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dlloki	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/o	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/mozglue.dllWZ	Avira URL Cloud: Label: malware
Source: https://esccapewz.run:443/ANSbwqyO	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phposition:	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpon	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phpv	Avira URL Cloud: Label: malware
Source: http://45.93.20.28/85a1cacf11314eb8.phprefox	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\WLbfHbp[1].exe	Avira: detection malicious, Label: TR/AVI.Agent.fsawc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[2].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\BIm18E9[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1350985
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\TbV75ZR[1].exe	Avira: detection malicious, Label: TR/AVI.Agent.fsawc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\f73ae_003[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7IIl2eE[1].exe	Avira: detection malicious, Label: TR/AVI.Agent.gilhh
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["esccapewz.run/ANSbwqy", "travewlio.shop/ZNxbHi", "touvrlane.bet/ASKwjq", "sighbtseeing.shop/ASJnzh", "advennture.top/GKsiio", "targett.top/dsANGt", "holidamyup.today/AOzkns", "triplooqp.world/APowko"], "Build id": "c1f2c640bdeec3593cc90bef83d9190c931339f65612dd5d7045f117"}
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
Source: 98f2fbda18.exe.6388.34.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "45.93.20.28/85a1cacf11314eb8.php", "Botnet": "trump"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\BIm18E9[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\WLbfHbp[1].exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\f73ae_003[1].exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\TbV75ZR[1].exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7IIl2eE[1].exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[3].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\10341630101\BIm18E9.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\10341640101\7IIl2eE.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Temp\10341650101\TbV75ZR.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\10341660101\f73ae_003.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\10341670101\WLbfHbp.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\10341680101\e051231d4e.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	ReversingLabs: Detection: 61%

Multi AV Scanner detection for submitted file

Source: rRYQiGZ4K3.exe	Virustotal: Detection: 55%			Perma Link
Source: rRYQiGZ4K3.exe	ReversingLabs: Detection: 61%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.9%

Sample uses string decryption to hide its real strings

Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: esccapewz.run/ANSbwqy
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: travewlio.shop/ZNxbHi
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: touvrlane.bet/ASKwjq
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sighbtseeing.shop/ASJnzh
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: advennture.top/GKsiio
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: targett.top/dsANGt
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: holidamyup.today/AOzkns
Source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	String decryptor: triplooqp.world/APowko
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 176.113.115.6
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Ni9kiput/index.php
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bb556cff4a
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapes.exe
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000419
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000422
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000423
Source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0000043f

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE3A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	13_2_6CE3A9A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE344C0 PK11_PubEncrypt,	13_2_6CE344C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE34440 PK11_PrivDecrypt,	13_2_6CE34440
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE04420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	13_2_6CE04420
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE825B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	13_2_6CE825B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE1E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	13_2_6CE1E6E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE18670 PK11_ExportEncryptedPrivKeyInfo,	13_2_6CE18670
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE3A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	13_2_6CE3A650
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	13_2_6CE5A730
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE60180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	13_2_6CE60180
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE343B0 PK11_PubEncryptPKCS1,PR_SetError,	13_2_6CE343B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE57C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	13_2_6CE57C00
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE17D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	13_2_6CE17D60
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	13_2_6CE5BD30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE59EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	13_2_6CE59EC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE33FF0 PK11_PrivDecryptPKCS1,	13_2_6CE33FF0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE39840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	13_2_6CE39840
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE33850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	13_2_6CE33850
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5DA40 SEC_PKCS7ContentIsEncrypted,	13_2_6CE5DA40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE33560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	13_2_6CE33560
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE2F050 PR_smprintf,SEC_CertNicknameConflict,strlen,realloc,memset,realloc,strlen,free,PR_smprintf,memcpy,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PR_SetError,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,memcpy,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PR_SetError,PR_SetError,PR_GetCurrentThread,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,PK11_GenerateRandom,SECKEY_DestroyPrivateKey,PR_SetError,free,free,free,free,PK11_FindCertInSlot,PORT_NewArena_Util,free,PK11_ImportCert,PR_SetError,free,CERT_DestroyCertificate,PORT_FreeArena_Util,PR_GetCurrentThread,PORT_ArenaAlloc_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_GetCurrentThread,strlen,PR_SetError,PR_GetCurrentThread,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,PR_SetError,free,SECKEY_DestroyPrivateKey,SECKEY_DestroyEncryptedPrivateKeyInfo,PR_SetError,	13_2_6CE2F050

Phishing

Yara detected Healer AV Disabler

Source: Yara match

File source: Process Memory Space: 43a132b865.exe PID: 5960, type: MEMORYSTR

Uses 32bit PE files

Source: rRYQiGZ4K3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: 98f2fbda18.exe, 0000000D.00000002.2083514575.00000000706AD000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: nss3.pdb@ source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.13.dr
Source:	Binary string: nss3.pdb source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.13.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 43a132b865.exe, 00000019.00000002.1828791523.0000000000982000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: mozglue.pdb source: 98f2fbda18.exe, 0000000D.00000002.2083514575.00000000706AD000.00000002.00000001.01000000.0000001A.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe

Directory queried: number of queries: 2665

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CF05070 strlen,PR_SetError,strcpy,_mbsdec,strlen,_mbsinc,_mbsinc,FindFirstFileA,GetLastError,

13_2_6CF05070

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\	Jump to behavior

Source: chrome.exe	Memory has grown: Private usage: 1MB later: 32MB
Source: firefox.exe	Memory has grown: Private usage: 1MB later: 94MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 45.93.20.28/85a1cacf11314eb8.php
Source: Malware configuration extractor	URLs: esccapewz.run/ANSbwqy
Source: Malware configuration extractor	URLs: travewlio.shop/ZNxbHi
Source: Malware configuration extractor	URLs: touvrlane.bet/ASKwjq
Source: Malware configuration extractor	URLs: sighbtseeing.shop/ASJnzh
Source: Malware configuration extractor	URLs: advennture.top/GKsiio
Source: Malware configuration extractor	URLs: targett.top/dsANGt
Source: Malware configuration extractor	URLs: holidamyup.today/AOzkns
Source: Malware configuration extractor	URLs: triplooqp.world/APowko
Source: Malware configuration extractor	IPs: 176.113.115.6

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CDECC60 PR_Recv,

13_2_6CDECC60

Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.11
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687357574.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1689316710.0000000001414000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687829726.000000000140C000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1695786808.0000000001416000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2172298033.00000000011D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/
Source: 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2172298033.00000000011D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/0g
Source: 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2172298033.00000000011D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/H
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/Mkv
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/ed
Source: 4aa1430779.exe, 0000000C.00000002.1694992949.0000000001400000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687357574.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/ranK.$
Source: 4aa1430779.exe, 0000000E.00000002.2204867939.0000000005AC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe
Source: 4aa1430779.exe, 0000000C.00000002.1694992949.0000000001400000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687357574.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe#
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe.u
Source: 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exeFX
Source: 4aa1430779.exe, 0000000C.00000002.1694992949.0000000001400000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687357574.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exeQ
Source: 4aa1430779.exe, 0000000E.00000003.2172459897.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2193286323.00000000011E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exep
Source: 4aa1430779.exe, 0000000C.00000003.1687447852.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694216029.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7:80/mine/random.exe
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp, 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp, 98f2fbda18.exe, 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php
Source: 98f2fbda18.exe, 0000000D.00000003.1735862622.0000000001576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php)
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php0101
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php5a1cacf11314eb8.php
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php5b76698b5b4ff6efd868f8f132dc67f9
Source: 98f2fbda18.exe, 0000000D.00000003.1735862622.0000000001576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php;
Source: 98f2fbda18.exe, 0000000D.00000003.1865498124.0000000001579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php;)
Source: 98f2fbda18.exe, 0000000D.00000003.1865498124.0000000001579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpAEBAKKJKKEBKFIDBFBA
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpB
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpDn
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpG
Source: 98f2fbda18.exe, 0000000D.00000003.1865498124.0000000001579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpI)6S
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpQ
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpRn
Source: 98f2fbda18.exe, 0000000D.00000003.1865498124.0000000001579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpS)
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpSt
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpY
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpary=----JEBGCBAFCGDAAKFIDGIEogon.exe
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpat
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpc
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpd
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpge
Source: 98f2fbda18.exe, 0000000D.00000003.1735862622.0000000001576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpk
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpmf
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpmt
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpon
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phposition:
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpowser
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phprefox
Source: 98f2fbda18.exe, 0000000D.00000003.1735862622.0000000001576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpslh
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpv
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/Jn
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/freebl3.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/freebl3.dllBZ
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/mozglue.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/mozglue.dllWZ
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll=)
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dllQ)
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllG(
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllhM
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dlli/
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dlllet
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllocal
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dlloki
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllsof
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/softokn3.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/sqlite3.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/vcruntime140.dll
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/vcruntime140.dllw
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28/o
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000128E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.284n
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.2885a1cacf11314eb8.phposition:
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28DGCGHDB
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.93.20.28_R29
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28part/form-data;
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://45.93.20.28ta
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: nss3[1].dll.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: nss3[1].dll.13.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000025.00000003.1812637303.0000026D6A3FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1809124421.0000026D6CD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779245674.0000026D6CC64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1813451778.0000026D6CABC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1800064897.0000026D6CD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1781333208.0000026D6CC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1813451778.0000026D6CA98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1787226785.0000026D6CD72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: TbV75ZR.exe.11.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: nss3[1].dll.13.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3[1].dll.13.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: nss3[1].dll.13.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 98f2fbda18.exe, 98f2fbda18.exe, 0000000D.00000002.2083514575.00000000706AD000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 98f2fbda18.exe, 0000000D.00000002.2079259650.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 4aa1430779.exe, 0000000C.00000003.1491508298.0000000005CAD000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1862585744.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2135118481.00000000058DD000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1885900246.0000000005B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000027.00000002.1873927736.000001A338E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwdMO
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: b4ba663854.exe, 00000028.00000002.2095599878.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2071546109.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2027795731.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2067081292.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2056780180.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095687014.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top/
Source: b4ba663854.exe, 00000028.00000003.2027795731.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2056780180.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top//q
Source: b4ba663854.exe, 00000028.00000002.2095599878.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2071546109.00000000012D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top/1q
Source: b4ba663854.exe, 00000028.00000003.2027795731.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918387192.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1984625208.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1937411312.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095599878.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2067553213.000000000128A000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2071546109.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1872198268.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057722475.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057722475.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2027795731.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1893811229.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2067081292.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095070327.000000000128A000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095687014.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top/GKsiio
Source: b4ba663854.exe, 00000028.00000003.2067081292.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095687014.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top/GKsiioq
Source: b4ba663854.exe, 00000028.00000003.2067553213.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2094483896.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top:443/GKsiio
Source: b4ba663854.exe, 00000028.00000003.2000832126.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top:443/GKsiiol
Source: b4ba663854.exe, 00000028.00000003.2067553213.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057913063.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2094483896.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top:443/GKsiiopi.default-release/key4.dbPK
Source: b4ba663854.exe, 00000028.00000003.2067553213.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057913063.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2029000838.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2094483896.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://advennture.top:443/GKsiiozh
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: 4aa1430779.exe, 0000000C.00000003.1503331238.0000000005BA1000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1871756260.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: 4aa1430779.exe, 0000000C.00000003.1545180600.000000000137D000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1967912600.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 4aa1430779.exe, 0000000C.00000003.1454894881.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 4aa1430779.exe, 0000000C.00000003.1454894881.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://content.cdn.mozilla.net
Source: 4aa1430779.exe, 0000000C.00000003.1503331238.0000000005BA1000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1871756260.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 4aa1430779.exe, 0000000C.00000003.1545180600.000000000137D000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1871756260.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 4aa1430779.exe, 0000000C.00000003.1454894881.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: b4ba663854.exe, 00000028.00000003.2057913063.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2000832126.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2029000838.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esccapewz.run:443/ANSbwqy
Source: b4ba663854.exe, 00000028.00000003.2067553213.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057913063.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2000832126.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2029000838.0000000001253000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2094483896.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esccapewz.run:443/ANSbwqyO
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000001009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital/
Source: MSBuild.exe, 00000032.00000002.2017416226.0000000001075000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital/gwpd
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000001016000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital/gwpd;
Source: MSBuild.exe, 00000032.00000002.2017416226.0000000001075000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital/gwpdt
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000001009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital/s
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital:443/gwpd
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital:443/gwpdJrn
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital:443/gwpdcuW
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital:443/gwpdes
Source: MSBuild.exe, 00000032.00000002.2010796294.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ferromny.digital:443/gwpdkrO
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ideas.mozilla.org/
Source: b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000027.00000002.1874098731.000001A339172000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: nss3[1].dll.13.dr	String found in binary or memory: https://mozilla.org0/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: 4aa1430779.exe, 0000000C.00000003.1689653173.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1440989227.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042951169.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1565518737.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2172298033.00000000011D6000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042547371.00000000011B6000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2201138155.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2209968890.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/
Source: 4aa1430779.exe, 0000000E.00000003.1865502122.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/%g
Source: 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/0g
Source: 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1865502122.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2172298033.00000000011D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/9g
Source: 4aa1430779.exe, 00000014.00000003.2201138155.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2209968890.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/=:X
Source: 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1865502122.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/RgD
Source: 4aa1430779.exe, 0000000E.00000003.2042951169.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1865502122.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042547371.00000000011B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/cg
Source: 4aa1430779.exe, 4aa1430779.exe, 0000000C.00000003.1545021900.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1562299683.0000000001414000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687357574.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1505523551.0000000005BAC000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1689554850.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1469791898.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1502381117.0000000005BA9000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1491128468.000000000142C000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1562330966.0000000001402000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1489529663.000000000142C000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1695486449.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042951169.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2171315021.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsopp
Source: 4aa1430779.exe, 0000000C.00000003.1440892277.000000000139D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsopp.dll
Source: 4aa1430779.exe, 0000000E.00000003.2042951169.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042547371.00000000011B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppEX
Source: 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppIu
Source: 4aa1430779.exe, 0000000E.00000003.1984826633.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1980408494.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppKwJkGr
Source: 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppUiL5
Source: 4aa1430779.exe, 0000000C.00000003.1687357574.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1689554850.0000000001403000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1562330966.0000000001402000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1695486449.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppa
Source: 4aa1430779.exe, 0000000E.00000003.2042951169.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2192614622.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1973050794.00000000011B6000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2167222997.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2042547371.00000000011B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppb
Source: 4aa1430779.exe, 0000000C.00000003.1555456425.0000000001383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsopph
Source: 4aa1430779.exe, 0000000C.00000003.1545021900.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1562299683.0000000001414000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppo
Source: 4aa1430779.exe, 00000014.00000003.2179621071.0000000000E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppsi
Source: 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/gsoppx
Source: 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/k
Source: 4aa1430779.exe, 0000000E.00000003.2065097809.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2066538184.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/k%g
Source: 4aa1430779.exe, 00000014.00000003.2209968890.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/k3:J
Source: 4aa1430779.exe, 0000000E.00000003.2000274178.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2011374493.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live/kGg9
Source: 4aa1430779.exe, 0000000C.00000003.1545180600.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687447852.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1440989227.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555456425.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694216029.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1984826633.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2043476594.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1980408494.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2184991044.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2179621071.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2201653679.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsopp
Source: 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2043476594.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsopp6w
Source: 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1984826633.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2043476594.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1980408494.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1565518737.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsoppSw
Source: 4aa1430779.exe, 0000000E.00000003.2171827275.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsoppages
Source: 4aa1430779.exe, 0000000C.00000003.1687447852.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694216029.0000000001383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oreheatq.live:443/gsoppxxd8pi.default-release/key4.dbPK
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000025.00000003.1782676070.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1779628758.0000026D6C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1782177802.0000026D6C819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: b4ba663854.exe, 00000028.00000003.2000832126.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sighbtseeing.shop:443/ASJnzh
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 98f2fbda18.exe, 0000000D.00000003.1999851739.000000000C154000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: 4aa1430779.exe, 0000000C.00000003.1545180600.000000000137D000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1967912600.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 4aa1430779.exe, 0000000C.00000003.1454894881.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20Y&
Source: rapes.exe, 0000000B.00000003.2181062928.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: 4aa1430779.exe, 0000000C.00000003.1454894881.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1735640335.000000000159E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1810009775.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2088735265.000000000580A000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2089721070.000000000580C000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1843146046.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1842295949.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: firefox.exe, 00000025.00000003.1751556912.0000026D6CC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1749233471.0000026D6CA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1776466159.0000026D6CC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1777114925.0000026D6CC7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1771552882.0000026D6CC4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.1765646761.0000026D6CC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: 4aa1430779.exe, 0000000C.00000003.1545180600.000000000137D000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2070088200.000000000C01D000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1871756260.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2153007045.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1918143444.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp, 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp, 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002C4000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 4aa1430779.exe, 0000000C.00000003.1493922441.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1999851739.000000000C154000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1869427562.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2140335383.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: 4aa1430779.exe, 0000000C.00000003.1493922441.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1999851739.000000000C154000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1869427562.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2140335383.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp, firefox.exe, 00000027.00000002.1874098731.000001A3391C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000027.00000002.1873844603.000001A338DE0000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: 4aa1430779.exe, 0000000C.00000003.1493922441.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1999851739.000000000C154000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1869427562.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2140335383.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1895432723.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: 4aa1430779.exe, 0000000C.00000003.1440989227.0000000001383000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1984826633.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2043476594.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1980408494.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1565518737.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000114A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2184991044.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2179621071.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 00000014.00000003.2201653679.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wxayfarer.live:443/ALosnz
Source: firefox.exe, 00000027.00000002.1876294289.000001A339250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/chal&
Source: firefox.exe, 00000023.00000002.1734788897.00000233CA290000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1876294289.000001A339254000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1873927736.000001A338E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000021.00000002.1707123015.0000015461AB0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.1734788897.00000233CA299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000027.00000002.1876294289.000001A339254000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.1873927736.000001A338E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: firefox.exe, 00000027.00000002.1873927736.000001A338E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdaK
Source: firefox.exe, 00000027.00000002.1873927736.000001A338E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwduK

System Summary

Binary is likely a compiled AutoIt script file

Source: 01f5cbd84e.exe, 00000010.00000002.1780483809.0000000000662000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_0249c028-8
Source: 01f5cbd84e.exe, 00000010.00000002.1780483809.0000000000662000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_b0489b24-9

PE file contains section with special chars

Source: rRYQiGZ4K3.exe	Static PE information: section name:
Source: rRYQiGZ4K3.exe	Static PE information: section name: .idata
Source: rRYQiGZ4K3.exe	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: .idata
Source: rapes.exe.0.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name: .idata
Source: random[3].exe.11.dr	Static PE information: section name:
Source: 871714e72e.exe.11.dr	Static PE information: section name:
Source: 871714e72e.exe.11.dr	Static PE information: section name: .idata
Source: 871714e72e.exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: 4aa1430779.exe.11.dr	Static PE information: section name:
Source: 4aa1430779.exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: 98f2fbda18.exe.11.dr	Static PE information: section name:
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: .idata
Source: 98f2fbda18.exe.11.dr	Static PE information: section name:
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name:
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: .idata
Source: e240a344bf.exe.11.dr	Static PE information: section name:
Source: e240a344bf.exe.11.dr	Static PE information: section name: .idata
Source: e240a344bf.exe.11.dr	Static PE information: section name:
Source: 4858284b54.exe.11.dr	Static PE information: section name:
Source: 4858284b54.exe.11.dr	Static PE information: section name: .idata
Source: 4858284b54.exe.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name: .idata
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: 43a132b865.exe.11.dr	Static PE information: section name:
Source: 43a132b865.exe.11.dr	Static PE information: section name: .idata
Source: 43a132b865.exe.11.dr	Static PE information: section name:
Source: random[2].exe.11.dr	Static PE information: section name:
Source: random[2].exe.11.dr	Static PE information: section name: .idata
Source: random[2].exe.11.dr	Static PE information: section name:
Source: b4ba663854.exe.11.dr	Static PE information: section name:
Source: b4ba663854.exe.11.dr	Static PE information: section name: .idata
Source: b4ba663854.exe.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: .idata
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: 1c2040cc08.exe.11.dr	Static PE information: section name:
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: .idata
Source: 1c2040cc08.exe.11.dr	Static PE information: section name:
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name:
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: .idata
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name:
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name:
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: .idata
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name:
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name:
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: .idata
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Process Stats: CPU usage > 49%

Creates files inside the system directory

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013CF00A	12_3_013CF00A
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013CF00A	12_3_013CF00A
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_014089A1	12_3_014089A1
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01409173	12_3_01409173
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01404979	12_3_01404979
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013CF00A	12_3_013CF00A
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013CF00A	12_3_013CF00A
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDDECD0	13_2_6CDDECD0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD7ECC0	13_2_6CD7ECC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD8AC60	13_2_6CD8AC60
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5AC30	13_2_6CE5AC30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE46C00	13_2_6CE46C00
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF0CDC0	13_2_6CF0CDC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD84DB0	13_2_6CD84DB0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE16D90	13_2_6CE16D90
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE4ED70	13_2_6CE4ED70
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEAAD50	13_2_6CEAAD50
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF08D20	13_2_6CF08D20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD8AEC0	13_2_6CD8AEC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE20EC0	13_2_6CE20EC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE06E90	13_2_6CE06E90
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE1EE70	13_2_6CE1EE70
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE60E20	13_2_6CE60E20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5EFF0	13_2_6CE5EFF0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD80FE0	13_2_6CD80FE0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC8FB0	13_2_6CEC8FB0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD8EFB0	13_2_6CD8EFB0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE42F70	13_2_6CE42F70
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDEEF40	13_2_6CDEEF40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD86F10	13_2_6CD86F10
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC0F20	13_2_6CEC0F20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE868E0	13_2_6CE868E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDC2880	13_2_6CDC2880
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE54840	13_2_6CE54840
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE0A820	13_2_6CE0A820
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE9C9E0	13_2_6CE9C9E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB49F0	13_2_6CDB49F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE109A0	13_2_6CE109A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE3A9A0	13_2_6CE3A9A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE409B0	13_2_6CE409B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB8960	13_2_6CDB8960
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD6900	13_2_6CDD6900
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDFEA80	13_2_6CDFEA80
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDFCA70	13_2_6CDFCA70
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE38A30	13_2_6CE38A30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE2EA00	13_2_6CE2EA00
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE86BE0	13_2_6CE86BE0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE20BA0	13_2_6CE20BA0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD88BAC	13_2_6CD88BAC
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDC64D0	13_2_6CDC64D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE1A4D0	13_2_6CE1A4D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEAA480	13_2_6CEAA480
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD98460	13_2_6CD98460
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE0A430	13_2_6CE0A430
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE4420	13_2_6CDE4420
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE4A5E0	13_2_6CE4A5E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE0E5F0	13_2_6CE0E5F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD745B0	13_2_6CD745B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE20570	13_2_6CE20570
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD8540	13_2_6CDD8540
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE84540	13_2_6CE84540
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC8550	13_2_6CEC8550
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE2560	13_2_6CDE2560
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE1E6E0	13_2_6CE1E6E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDA46D0	13_2_6CDA46D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDDE6E0	13_2_6CDDE6E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDDC650	13_2_6CDDC650
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDAA7D0	13_2_6CDAA7D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE00700	13_2_6CE00700
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD78090	13_2_6CD78090
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5C0B0	13_2_6CE5C0B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD900B0	13_2_6CD900B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDCE070	13_2_6CDCE070
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE4C000	13_2_6CE4C000
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE48010	13_2_6CE48010
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD801E0	13_2_6CD801E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE8140	13_2_6CDE8140
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE64130	13_2_6CE64130
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDF6130	13_2_6CDF6130
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF062C0	13_2_6CF062C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE522A0	13_2_6CE522A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE4E2B0	13_2_6CE4E2B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD9A2B0	13_2_6CD9A2B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE08260	13_2_6CE08260
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE18250	13_2_6CE18250
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE58220	13_2_6CE58220
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE4A210	13_2_6CE4A210
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD43E0	13_2_6CDD43E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD2380	13_2_6CDD2380
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDDE3B0	13_2_6CDDE3B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB23A0	13_2_6CDB23A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE9C360	13_2_6CE9C360
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE16370	13_2_6CE16370
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD88340	13_2_6CD88340
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC2370	13_2_6CEC2370
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD82370	13_2_6CD82370
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDF2320	13_2_6CDF2320
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE41CE0	13_2_6CE41CE0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEBDCD0	13_2_6CEBDCD0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD83C40	13_2_6CD83C40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEA9C40	13_2_6CEA9C40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD91C30	13_2_6CD91C30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE51DC0	13_2_6CE51DC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD73D80	13_2_6CD73D80
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC9D90	13_2_6CEC9D90
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE3D00	13_2_6CDE3D00
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDA3EC0	13_2_6CDA3EC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF05E60	13_2_6CF05E60
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE8DE10	13_2_6CE8DE10
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE2BFF0	13_2_6CE2BFF0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE9DFC0	13_2_6CE9DFC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF03FC0	13_2_6CF03FC0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDA1F90	13_2_6CDA1F90
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CED7F20	13_2_6CED7F20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD75F30	13_2_6CD75F30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB5F20	13_2_6CDB5F20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5F8F0	13_2_6CE5F8F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEDB8F0	13_2_6CEDB8F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD8D8E0	13_2_6CD8D8E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB38E0	13_2_6CDB38E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDDD810	13_2_6CDDD810
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB99D0	13_2_6CDB99D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE179F0	13_2_6CE179F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE199C0	13_2_6CE199C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE59F0	13_2_6CDE59F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD91980	13_2_6CD91980
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE51990	13_2_6CE51990
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE3D960	13_2_6CE3D960
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDFF960	13_2_6CDFF960
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE35920	13_2_6CE35920
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CECF900	13_2_6CECF900
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD81AE0	13_2_6CD81AE0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5DAB0	13_2_6CE5DAB0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF09A50	13_2_6CF09A50
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE7DA30	13_2_6CE7DA30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD9BBD4	13_2_6CD9BBD4
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDC7BF0	13_2_6CDC7BF0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE49BB0	13_2_6CE49BB0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD71B80	13_2_6CD71B80
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE65B90	13_2_6CE65B90
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD9BA0	13_2_6CDD9BA0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE5FB60	13_2_6CE5FB60
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDCBB20	13_2_6CDCBB20
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD814E0	13_2_6CD814E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CF014A0	13_2_6CF014A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE69430	13_2_6CE69430
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE0D410	13_2_6CE0D410
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE055F0	13_2_6CE055F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB9590	13_2_6CDB9590
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD95510	13_2_6CD95510
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE7500	13_2_6CDE7500
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CECF510	13_2_6CECF510
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDB16A0	13_2_6CDB16A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE96A0	13_2_6CDE96A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD99650	13_2_6CD99650
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDD5640	13_2_6CDD5640
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDF7610	13_2_6CDF7610
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDA9600	13_2_6CDA9600
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC37C0	13_2_6CEC37C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE0B7A0	13_2_6CE0B7A0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE59720	13_2_6CE59720
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDED710	13_2_6CDED710
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDA3720	13_2_6CDA3720
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE37090	13_2_6CE37090
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD7D050	13_2_6CD7D050
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD89050	13_2_6CD89050
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE2F050	13_2_6CE2F050
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDCB020	13_2_6CDCB020
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE31C0	13_2_6CDE31C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD931E0	13_2_6CD931E0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDCF150	13_2_6CDCF150
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CE43120	13_2_6CE43120

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: String function: 6CDDC5E0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: String function: 6CEB9F30 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: String function: 6CDA9B10 appears 114 times
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: String function: 6CDA3620 appears 106 times

PE file does not import any functions

Source: BIm18E9.exe.11.dr	Static PE information: No import functions for PE file found
Source: BIm18E9[1].exe.11.dr	Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: rRYQiGZ4K3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rRYQiGZ4K3.exe	Static PE information: Section: ZLIB complexity 0.9986925361570248
Source: rRYQiGZ4K3.exe	Static PE information: Section: jcuiltll ZLIB complexity 0.9947780098142044
Source: rapes.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9986925361570248
Source: rapes.exe.0.dr	Static PE information: Section: jcuiltll ZLIB complexity 0.9947780098142044
Source: random[3].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9993787770356234
Source: 871714e72e.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9993787770356234
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: 4bEpXMZ.exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: 4bEpXMZ.exe0.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: random[1].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9980576064560439
Source: 4aa1430779.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9980576064560439
Source: random[1].exe0.11.dr	Static PE information: Section: ajxospfk ZLIB complexity 0.994741306500466
Source: 98f2fbda18.exe.11.dr	Static PE information: Section: ajxospfk ZLIB complexity 0.994741306500466
Source: f73ae_003[1].exe.11.dr	Static PE information: Section: z2 ZLIB complexity 0.9914302453131233
Source: f73ae_003.exe.11.dr	Static PE information: Section: z2 ZLIB complexity 0.9914302453131233
Source: random[3].exe0.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: random[3].exe0.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: e051231d4e.exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: e051231d4e.exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003337967867232
Source: f59cb4f3ef.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9980576064560439
Source: e240a344bf.exe.11.dr	Static PE information: Section: ajxospfk ZLIB complexity 0.994741306500466
Source: 4858284b54.exe.11.dr	Static PE information: Section: qkaqrojp ZLIB complexity 0.9947809088226616
Source: random[1].exe2.11.dr	Static PE information: Section: qkaqrojp ZLIB complexity 0.9947809088226616
Source: 43a132b865.exe.11.dr	Static PE information: Section: qkaqrojp ZLIB complexity 0.9947809088226616
Source: random[2].exe.11.dr	Static PE information: Section: ZLIB complexity 1.0000711221988796
Source: random[2].exe.11.dr	Static PE information: Section: pouoahlt ZLIB complexity 0.994614870030581
Source: b4ba663854.exe.11.dr	Static PE information: Section: ZLIB complexity 1.0000711221988796
Source: b4ba663854.exe.11.dr	Static PE information: Section: pouoahlt ZLIB complexity 0.994614870030581
Source: random[2].exe0.11.dr	Static PE information: Section: ZLIB complexity 0.9998534304101222
Source: 1c2040cc08.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9998534304101222
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: Section: ZLIB complexity 0.9986602530991735
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: Section: gepwgapg ZLIB complexity 0.9945153181646526
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: Section: ZLIB complexity 0.9986602530991735
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: Section: gepwgapg ZLIB complexity 0.9945153181646526
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: Section: ZLIB complexity 0.9986602530991735
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: Section: gepwgapg ZLIB complexity 0.9945153181646526

Source: random[2].exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[2].exe0.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[3].exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 1c2040cc08.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: b4ba663854.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 871714e72e.exe.11.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@113/91@0/19

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CDE0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

13_2_6CDE0300

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1004:120:WilError_03

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File created: C:\Users\user\AppData\Local\Temp\bb556cff4a

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 98f2fbda18.exe, 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.13.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 4aa1430779.exe, 0000000C.00000003.1473140795.0000000005BC4000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1453998635.0000000005BD5000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1454699612.0000000005BA5000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1472026072.0000000005C06000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1472378280.0000000005BC4000.00000004.00000800.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1858523478.0000000005D8B000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000003.1734391037.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1809119576.0000000005AF6000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1806546245.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1829695958.0000000005AF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 98f2fbda18.exe, 0000000D.00000002.2078555766.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2065049572.0000000005EC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: rRYQiGZ4K3.exe	Virustotal: Detection: 55%
Source: rRYQiGZ4K3.exe	ReversingLabs: Detection: 61%

Source: rRYQiGZ4K3.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rRYQiGZ4K3.exe	String found in binary or memory: " /add /y
Source: rRYQiGZ4K3.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: 98f2fbda18.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File read: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rRYQiGZ4K3.exe "C:\Users\user\Desktop\rRYQiGZ4K3.exe"
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe "C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe "C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe "C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe "C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe"
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --subproc-heap-profiling --field-trial-handle=2208,i,15468814367400949569,2416210715821144008,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2168 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe "C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe"
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe "C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe"
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe "C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe"
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe "C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe"
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2992,i,7740229155416659085,13242452531407460704,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3012 /prefetch:3
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2248 -prefMapHandle 2244 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91d3ef95-0888-4317-9b75-296e38a04e28} 6400 "\\.\pipe\gecko-crash-server-pipe.6400" 26d5cf6a110 socket
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe "C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe"
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2396 --field-trial-handle=2104,i,11169080278526208488,12123443454787713303,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2244,i,18186824461368831228,8997466204687017139,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe "C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe"
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe "C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe "C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe "C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe "C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe "C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe "C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe "C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --subproc-heap-profiling --field-trial-handle=2208,i,15468814367400949569,2416210715821144008,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2168 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2992,i,7740229155416659085,13242452531407460704,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3012 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2248 -prefMapHandle 2244 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91d3ef95-0888-4317-9b75-296e38a04e28} 6400 "\\.\pipe\gecko-crash-server-pipe.6400" 26d5cf6a110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2396 --field-trial-handle=2104,i,11169080278526208488,12123443454787713303,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2244,i,18186824461368831228,8997466204687017139,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: rRYQiGZ4K3.exe

Static file information: File size 1911296 > 1048576

Source: rRYQiGZ4K3.exe

Static PE information: Raw size of jcuiltll is bigger than: 0x100000 < 0x1a1200

Source:	Binary string: mozglue.pdbP source: 98f2fbda18.exe, 0000000D.00000002.2083514575.00000000706AD000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: nss3.pdb@ source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.13.dr
Source:	Binary string: nss3.pdb source: 98f2fbda18.exe, 0000000D.00000002.2080982611.000000006CF0F000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.13.dr
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 43a132b865.exe, 00000019.00000002.1828791523.0000000000982000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: mozglue.pdb source: 98f2fbda18.exe, 0000000D.00000002.2083514575.00000000706AD000.00000002.00000001.01000000.0000001A.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Unpacked PE file: 0.2.rRYQiGZ4K3.exe.80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 1.2.rapes.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 2.2.rapes.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jcuiltll:EW;gqicuvhy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Unpacked PE file: 12.2.4aa1430779.exe.570000.0.unpack :EW;.rsrc:W;.idata :W;lqfpqqbq:EW;stpsldwz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lqfpqqbq:EW;stpsldwz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Unpacked PE file: 13.2.98f2fbda18.exe.240000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ajxospfk:EW;fdhsnvbg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ajxospfk:EW;fdhsnvbg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Unpacked PE file: 14.2.4aa1430779.exe.570000.0.unpack :EW;.rsrc:W;.idata :W;lqfpqqbq:EW;stpsldwz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lqfpqqbq:EW;stpsldwz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Unpacked PE file: 25.2.43a132b865.exe.980000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qkaqrojp:EW;dvvcrdvk:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Unpacked PE file: 30.2.GQBW1T0IDBJMVUA99J2.exe.890000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gepwgapg:EW;dashrvhk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gepwgapg:EW;dashrvhk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Unpacked PE file: 34.2.98f2fbda18.exe.240000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ajxospfk:EW;fdhsnvbg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ajxospfk:EW;fdhsnvbg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Unpacked PE file: 40.2.b4ba663854.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pouoahlt:EW;gpuxgpqt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pouoahlt:EW;gpuxgpqt:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: BIm18E9.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x4ed08d
Source: WLbfHbp.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x17b823
Source: 4858284b54.exe.11.dr	Static PE information: real checksum: 0x1b62ed should be: 0x1bc9be
Source: rapes.exe.0.dr	Static PE information: real checksum: 0x1d3606 should be: 0x1d9d15
Source: 7IIl2eE.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x131f80
Source: f59cb4f3ef.exe.11.dr	Static PE information: real checksum: 0x2e86c5 should be: 0x2f1c76
Source: e240a344bf.exe.11.dr	Static PE information: real checksum: 0x1b9fa4 should be: 0x1adfac
Source: random[2].exe.11.dr	Static PE information: real checksum: 0x1d177b should be: 0x1cebfe
Source: TbV75ZR[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x17b823
Source: random[1].exe.11.dr	Static PE information: real checksum: 0x2e86c5 should be: 0x2f1c76
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: real checksum: 0x1dbf46 should be: 0x1d5e0c
Source: f73ae_003.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x15b9e5
Source: 98f2fbda18.exe.11.dr	Static PE information: real checksum: 0x1b9fa4 should be: 0x1adfac
Source: 7IIl2eE[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x131f80
Source: random[3].exe0.11.dr	Static PE information: real checksum: 0x0 should be: 0x120e1d
Source: random[2].exe0.11.dr	Static PE information: real checksum: 0x4769cf should be: 0x4833af
Source: 4bEpXMZ.exe0.11.dr	Static PE information: real checksum: 0x0 should be: 0x179cdb
Source: random[3].exe.11.dr	Static PE information: real checksum: 0x461413 should be: 0x46d85b
Source: random[1].exe0.11.dr	Static PE information: real checksum: 0x1b9fa4 should be: 0x1adfac
Source: TbV75ZR.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x17b823
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x179cdb
Source: WLbfHbp[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x17b823
Source: 1c2040cc08.exe.11.dr	Static PE information: real checksum: 0x4769cf should be: 0x4833af
Source: e051231d4e.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x120e1d
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: real checksum: 0x1dbf46 should be: 0x1d5e0c
Source: b4ba663854.exe.11.dr	Static PE information: real checksum: 0x1d177b should be: 0x1cebfe
Source: f73ae_003[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x15b9e5
Source: 871714e72e.exe.11.dr	Static PE information: real checksum: 0x461413 should be: 0x46d85b
Source: 4aa1430779.exe.11.dr	Static PE information: real checksum: 0x2e86c5 should be: 0x2f1c76
Source: 43a132b865.exe.11.dr	Static PE information: real checksum: 0x1b62ed should be: 0x1bc9be
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: real checksum: 0x1dbf46 should be: 0x1d5e0c
Source: BIm18E9[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x4ed08d
Source: 4bEpXMZ.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x179cdb
Source: random[1].exe2.11.dr	Static PE information: real checksum: 0x1b62ed should be: 0x1bc9be
Source: rRYQiGZ4K3.exe	Static PE information: real checksum: 0x1d3606 should be: 0x1d9d15

PE file contains sections with non-standard names

Source: rRYQiGZ4K3.exe	Static PE information: section name:
Source: rRYQiGZ4K3.exe	Static PE information: section name: .idata
Source: rRYQiGZ4K3.exe	Static PE information: section name:
Source: rRYQiGZ4K3.exe	Static PE information: section name: jcuiltll
Source: rRYQiGZ4K3.exe	Static PE information: section name: gqicuvhy
Source: rRYQiGZ4K3.exe	Static PE information: section name: .taggant
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: .idata
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: jcuiltll
Source: rapes.exe.0.dr	Static PE information: section name: gqicuvhy
Source: rapes.exe.0.dr	Static PE information: section name: .taggant
Source: random[3].exe.11.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name: .idata
Source: random[3].exe.11.dr	Static PE information: section name:
Source: random[3].exe.11.dr	Static PE information: section name: qenlmgdj
Source: random[3].exe.11.dr	Static PE information: section name: kjtymyun
Source: random[3].exe.11.dr	Static PE information: section name: .taggant
Source: 871714e72e.exe.11.dr	Static PE information: section name:
Source: 871714e72e.exe.11.dr	Static PE information: section name: .idata
Source: 871714e72e.exe.11.dr	Static PE information: section name:
Source: 871714e72e.exe.11.dr	Static PE information: section name: qenlmgdj
Source: 871714e72e.exe.11.dr	Static PE information: section name: kjtymyun
Source: 871714e72e.exe.11.dr	Static PE information: section name: .taggant
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: section name: .gxfg
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: section name: .retplne
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: section name: _RDATA
Source: 4bEpXMZ[1].exe.11.dr	Static PE information: section name: .cSs
Source: 4bEpXMZ.exe.11.dr	Static PE information: section name: .gxfg
Source: 4bEpXMZ.exe.11.dr	Static PE information: section name: .retplne
Source: 4bEpXMZ.exe.11.dr	Static PE information: section name: _RDATA
Source: 4bEpXMZ.exe.11.dr	Static PE information: section name: .cSs
Source: 4bEpXMZ.exe0.11.dr	Static PE information: section name: .gxfg
Source: 4bEpXMZ.exe0.11.dr	Static PE information: section name: .retplne
Source: 4bEpXMZ.exe0.11.dr	Static PE information: section name: _RDATA
Source: 4bEpXMZ.exe0.11.dr	Static PE information: section name: .cSs
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name: lqfpqqbq
Source: random[1].exe.11.dr	Static PE information: section name: stpsldwz
Source: random[1].exe.11.dr	Static PE information: section name: .taggant
Source: 4aa1430779.exe.11.dr	Static PE information: section name:
Source: 4aa1430779.exe.11.dr	Static PE information: section name: .idata
Source: 4aa1430779.exe.11.dr	Static PE information: section name: lqfpqqbq
Source: 4aa1430779.exe.11.dr	Static PE information: section name: stpsldwz
Source: 4aa1430779.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: .idata
Source: random[1].exe0.11.dr	Static PE information: section name:
Source: random[1].exe0.11.dr	Static PE information: section name: ajxospfk
Source: random[1].exe0.11.dr	Static PE information: section name: fdhsnvbg
Source: random[1].exe0.11.dr	Static PE information: section name: .taggant
Source: 98f2fbda18.exe.11.dr	Static PE information: section name:
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: .idata
Source: 98f2fbda18.exe.11.dr	Static PE information: section name:
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: ajxospfk
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: fdhsnvbg
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: .taggant
Source: f73ae_003[1].exe.11.dr	Static PE information: section name: z0
Source: f73ae_003[1].exe.11.dr	Static PE information: section name: z1
Source: f73ae_003[1].exe.11.dr	Static PE information: section name: z2
Source: f73ae_003.exe.11.dr	Static PE information: section name: z0
Source: f73ae_003.exe.11.dr	Static PE information: section name: z1
Source: f73ae_003.exe.11.dr	Static PE information: section name: z2
Source: random[3].exe0.11.dr	Static PE information: section name: .gxfg
Source: random[3].exe0.11.dr	Static PE information: section name: .retplne
Source: random[3].exe0.11.dr	Static PE information: section name: _RDATA
Source: random[3].exe0.11.dr	Static PE information: section name: .cSs
Source: random[3].exe0.11.dr	Static PE information: section name: .cSs
Source: e051231d4e.exe.11.dr	Static PE information: section name: .gxfg
Source: e051231d4e.exe.11.dr	Static PE information: section name: .retplne
Source: e051231d4e.exe.11.dr	Static PE information: section name: _RDATA
Source: e051231d4e.exe.11.dr	Static PE information: section name: .cSs
Source: e051231d4e.exe.11.dr	Static PE information: section name: .cSs
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name:
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: .idata
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: lqfpqqbq
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: stpsldwz
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: .taggant
Source: e240a344bf.exe.11.dr	Static PE information: section name:
Source: e240a344bf.exe.11.dr	Static PE information: section name: .idata
Source: e240a344bf.exe.11.dr	Static PE information: section name:
Source: e240a344bf.exe.11.dr	Static PE information: section name: ajxospfk
Source: e240a344bf.exe.11.dr	Static PE information: section name: fdhsnvbg
Source: e240a344bf.exe.11.dr	Static PE information: section name: .taggant
Source: 4858284b54.exe.11.dr	Static PE information: section name:
Source: 4858284b54.exe.11.dr	Static PE information: section name: .idata
Source: 4858284b54.exe.11.dr	Static PE information: section name:
Source: 4858284b54.exe.11.dr	Static PE information: section name: qkaqrojp
Source: 4858284b54.exe.11.dr	Static PE information: section name: dvvcrdvk
Source: 4858284b54.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name: .idata
Source: random[1].exe2.11.dr	Static PE information: section name:
Source: random[1].exe2.11.dr	Static PE information: section name: qkaqrojp
Source: random[1].exe2.11.dr	Static PE information: section name: dvvcrdvk
Source: random[1].exe2.11.dr	Static PE information: section name: .taggant
Source: 43a132b865.exe.11.dr	Static PE information: section name:
Source: 43a132b865.exe.11.dr	Static PE information: section name: .idata
Source: 43a132b865.exe.11.dr	Static PE information: section name:
Source: 43a132b865.exe.11.dr	Static PE information: section name: qkaqrojp
Source: 43a132b865.exe.11.dr	Static PE information: section name: dvvcrdvk
Source: 43a132b865.exe.11.dr	Static PE information: section name: .taggant
Source: random[2].exe.11.dr	Static PE information: section name:
Source: random[2].exe.11.dr	Static PE information: section name: .idata
Source: random[2].exe.11.dr	Static PE information: section name:
Source: random[2].exe.11.dr	Static PE information: section name: pouoahlt
Source: random[2].exe.11.dr	Static PE information: section name: gpuxgpqt
Source: random[2].exe.11.dr	Static PE information: section name: .taggant
Source: b4ba663854.exe.11.dr	Static PE information: section name:
Source: b4ba663854.exe.11.dr	Static PE information: section name: .idata
Source: b4ba663854.exe.11.dr	Static PE information: section name:
Source: b4ba663854.exe.11.dr	Static PE information: section name: pouoahlt
Source: b4ba663854.exe.11.dr	Static PE information: section name: gpuxgpqt
Source: b4ba663854.exe.11.dr	Static PE information: section name: .taggant
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: .idata
Source: random[2].exe0.11.dr	Static PE information: section name:
Source: random[2].exe0.11.dr	Static PE information: section name: rncpeirq
Source: random[2].exe0.11.dr	Static PE information: section name: bkxaayvx
Source: random[2].exe0.11.dr	Static PE information: section name: .taggant
Source: 1c2040cc08.exe.11.dr	Static PE information: section name:
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: .idata
Source: 1c2040cc08.exe.11.dr	Static PE information: section name:
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: rncpeirq
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: bkxaayvx
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: .taggant
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name:
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: .idata
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name:
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: gepwgapg
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: dashrvhk
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: .taggant
Source: softokn3[1].dll.13.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.13.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.13.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.13.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.13.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.13.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.13.dr	Static PE information: section name: .didat
Source: nss3.dll.13.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.13.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.13.dr	Static PE information: section name: .00cfg
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name:
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: .idata
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name:
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: gepwgapg
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: dashrvhk
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: .taggant
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name:
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: .idata
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name:
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: gepwgapg
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: dashrvhk
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013B4BCB push esp; retn 0074h	12_3_013B4BCC
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013B4BCB push esp; retn 0074h	12_3_013B4BCC
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01403398 pushfd ; retn 0002h	12_3_014033DA
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01403398 pushfd ; retn 0002h	12_3_014033DA
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01403398 pushfd ; retn 0002h	12_3_014033DA
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_01403398 pushfd ; retn 0002h	12_3_014033DA
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013B4BCB push esp; retn 0074h	12_3_013B4BCC
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Code function: 12_3_013B4BCB push esp; retn 0074h	12_3_013B4BCC

Source: rRYQiGZ4K3.exe	Static PE information: section name: entropy: 7.9826932580669885
Source: rRYQiGZ4K3.exe	Static PE information: section name: jcuiltll entropy: 7.95401908089509
Source: rapes.exe.0.dr	Static PE information: section name: entropy: 7.9826932580669885
Source: rapes.exe.0.dr	Static PE information: section name: jcuiltll entropy: 7.95401908089509
Source: random[3].exe.11.dr	Static PE information: section name: entropy: 7.976644054661237
Source: random[3].exe.11.dr	Static PE information: section name: qenlmgdj entropy: 7.946013448384008
Source: 871714e72e.exe.11.dr	Static PE information: section name: entropy: 7.976644054661237
Source: 871714e72e.exe.11.dr	Static PE information: section name: qenlmgdj entropy: 7.946013448384008
Source: random[1].exe.11.dr	Static PE information: section name: entropy: 7.990352184338431
Source: 4aa1430779.exe.11.dr	Static PE information: section name: entropy: 7.990352184338431
Source: random[1].exe0.11.dr	Static PE information: section name: ajxospfk entropy: 7.953819166107309
Source: 98f2fbda18.exe.11.dr	Static PE information: section name: ajxospfk entropy: 7.953819166107309
Source: f73ae_003[1].exe.11.dr	Static PE information: section name: z2 entropy: 7.986156524412056
Source: f73ae_003.exe.11.dr	Static PE information: section name: z2 entropy: 7.986156524412056
Source: f59cb4f3ef.exe.11.dr	Static PE information: section name: entropy: 7.990352184338431
Source: e240a344bf.exe.11.dr	Static PE information: section name: ajxospfk entropy: 7.953819166107309
Source: 4858284b54.exe.11.dr	Static PE information: section name: qkaqrojp entropy: 7.953081518825469
Source: random[1].exe2.11.dr	Static PE information: section name: qkaqrojp entropy: 7.953081518825469
Source: 43a132b865.exe.11.dr	Static PE information: section name: qkaqrojp entropy: 7.953081518825469
Source: random[2].exe.11.dr	Static PE information: section name: entropy: 7.9839538899573785
Source: random[2].exe.11.dr	Static PE information: section name: pouoahlt entropy: 7.954265450001787
Source: b4ba663854.exe.11.dr	Static PE information: section name: entropy: 7.9839538899573785
Source: b4ba663854.exe.11.dr	Static PE information: section name: pouoahlt entropy: 7.954265450001787
Source: random[2].exe0.11.dr	Static PE information: section name: entropy: 7.976630260186399
Source: random[2].exe0.11.dr	Static PE information: section name: rncpeirq entropy: 7.94814176659921
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: entropy: 7.976630260186399
Source: 1c2040cc08.exe.11.dr	Static PE information: section name: rncpeirq entropy: 7.94814176659921
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: entropy: 7.977935826146418
Source: GQBW1T0IDBJMVUA99J2.exe.12.dr	Static PE information: section name: gepwgapg entropy: 7.954307807688752
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: entropy: 7.977935826146418
Source: O2APV2CTD3DNPOGLWQ211ODNXDP.exe.14.dr	Static PE information: section name: gepwgapg entropy: 7.954307807688752
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: entropy: 7.977935826146418
Source: Q0QJBHVF9L167VZGN61GMYN1MW6L.exe.20.dr	Static PE information: section name: gepwgapg entropy: 7.954307807688752

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341590101\1c2040cc08.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341700101\e240a344bf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341710101\d83a92e1f3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Jump to dropped file
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7IIl2eE[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341610101\4bEpXMZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\f73ae_003[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\4bEpXMZ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\WLbfHbp[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341650101\TbV75ZR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File created: C:\Users\user\AppData\Local\Temp\Q0QJBHVF9L167VZGN61GMYN1MW6L.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File created: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341690101\f59cb4f3ef.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341660101\f73ae_003.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341640101\7IIl2eE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341680101\e051231d4e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341720101\4858284b54.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\TbV75ZR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File created: C:\Users\user\AppData\Local\Temp\O2APV2CTD3DNPOGLWQ211ODNXDP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341630101\BIm18E9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\BIm18E9[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341670101\WLbfHbp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10341600101\871714e72e.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 01f5cbd84e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98f2fbda18.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4858284b54.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4aa1430779.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d83a92e1f3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 43a132b865.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e240a344bf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f59cb4f3ef.exe	Jump to behavior

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4aa1430779.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4aa1430779.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98f2fbda18.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98f2fbda18.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 01f5cbd84e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 01f5cbd84e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 43a132b865.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 43a132b865.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f59cb4f3ef.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f59cb4f3ef.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e240a344bf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e240a344bf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d83a92e1f3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d83a92e1f3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4858284b54.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4858284b54.exe	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: F3163 second address: F316F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: F316F second address: F3173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: F3173 second address: F3179 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: F3179 second address: F2A2E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB8D4BFEE0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D18EDh], edx 0x00000011 push dword ptr [ebp+122D0199h] 0x00000017 jmp 00007FB8D4BFEDFAh 0x0000001c sub dword ptr [ebp+122D1CB3h], esi 0x00000022 call dword ptr [ebp+122D2D5Eh] 0x00000028 pushad 0x00000029 stc 0x0000002a xor eax, eax 0x0000002c or dword ptr [ebp+122D2573h], ecx 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 xor dword ptr [ebp+122D27B2h], edi 0x0000003c mov dword ptr [ebp+122D2A80h], eax 0x00000042 jp 00007FB8D4BFEE0Ah 0x00000048 jmp 00007FB8D4BFEE04h 0x0000004d jmp 00007FB8D4BFEE02h 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D27B2h], ebx 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 pushad 0x00000062 xor si, C950h 0x00000067 mov ebx, 0AF191DCh 0x0000006c popad 0x0000006d lodsw 0x0000006f sub dword ptr [ebp+122D27B2h], eax 0x00000075 jo 00007FB8D4BFEE07h 0x0000007b jmp 00007FB8D4BFEE01h 0x00000080 add eax, dword ptr [esp+24h] 0x00000084 clc 0x00000085 mov ebx, dword ptr [esp+24h] 0x00000089 jmp 00007FB8D4BFEE05h 0x0000008e nop 0x0000008f push edx 0x00000090 push ecx 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: F2A2E second address: F2A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 256E65 second address: 256E6B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2755ED second address: 275622 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCDh 0x00000007 pushad 0x00000008 jmp 00007FB8D4EECBD5h 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007FB8D4EECBC6h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 275622 second address: 275626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 275745 second address: 275763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8D4EECBD5h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2771BE second address: 2771C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2771C3 second address: F2A2E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8D4EECBCCh 0x00000008 jnc 00007FB8D4EECBC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xor dword ptr [esp], 1F2C22FDh 0x00000017 movsx edx, di 0x0000001a push dword ptr [ebp+122D0199h] 0x00000020 call dword ptr [ebp+122D2D5Eh] 0x00000026 pushad 0x00000027 stc 0x00000028 xor eax, eax 0x0000002a or dword ptr [ebp+122D2573h], ecx 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 xor dword ptr [ebp+122D27B2h], edi 0x0000003a mov dword ptr [ebp+122D2A80h], eax 0x00000040 jp 00007FB8D4EECBDAh 0x00000046 jmp 00007FB8D4EECBD4h 0x0000004b jmp 00007FB8D4EECBD2h 0x00000050 mov esi, 0000003Ch 0x00000055 mov dword ptr [ebp+122D27B2h], ebx 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f pushad 0x00000060 xor si, C950h 0x00000065 mov ebx, 0AF191DCh 0x0000006a popad 0x0000006b lodsw 0x0000006d sub dword ptr [ebp+122D27B2h], eax 0x00000073 jo 00007FB8D4EECBD7h 0x00000079 jmp 00007FB8D4EECBD1h 0x0000007e add eax, dword ptr [esp+24h] 0x00000082 clc 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 jmp 00007FB8D4EECBD5h 0x0000008c nop 0x0000008d push edx 0x0000008e push ecx 0x0000008f push eax 0x00000090 push edx 0x00000091 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 27732D second address: 277331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277433 second address: 277447 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277447 second address: 277451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FB8D4BFEDF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277451 second address: 277463 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FB8D4EECBC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277463 second address: 27747B instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8D4BFEDFCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 27747B second address: 27747F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 27747F second address: 2774A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edi, 0D6D8721h 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+122D18BAh], edx 0x00000015 call 00007FB8D4BFEDF9h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d ja 00007FB8D4BFEDF6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2774A6 second address: 2774CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FB8D4EECBCCh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB8D4EECBD3h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2774CF second address: 277542 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8D4BFEDFFh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jc 00007FB8D4BFEE08h 0x00000017 jmp 00007FB8D4BFEE02h 0x0000001c mov eax, dword ptr [eax] 0x0000001e ja 00007FB8D4BFEE0Dh 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 pushad 0x00000029 jmp 00007FB8D4BFEE08h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277542 second address: 277573 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 add ecx, 5AF667E2h 0x0000000e push 00000003h 0x00000010 mov si, F2F2h 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+122D1D40h], ecx 0x0000001c push 00000003h 0x0000001e mov dl, 81h 0x00000020 push E5089488h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FB8D4EECBCAh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277573 second address: 2775E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 25089488h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FB8D4BFEDF8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a sub edx, dword ptr [ebp+122D2960h] 0x00000030 sub dword ptr [ebp+122D246Fh], edi 0x00000036 lea ebx, dword ptr [ebp+12458137h] 0x0000003c jnc 00007FB8D4BFEDF9h 0x00000042 xchg eax, ebx 0x00000043 push eax 0x00000044 push ebx 0x00000045 jmp 00007FB8D4BFEDFEh 0x0000004a pop ebx 0x0000004b pop eax 0x0000004c push eax 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2775E4 second address: 2775E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 277681 second address: 2776CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8D4BFEDFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jnc 00007FB8D4BFEDFCh 0x00000015 push eax 0x00000016 jmp 00007FB8D4BFEDFCh 0x0000001b pop eax 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007FB8D4BFEE06h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2776CF second address: 2776D9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8D4EECBCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 26B0C0 second address: 26B0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 295E9A second address: 295EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 295EA0 second address: 295ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4BFEDFCh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8D4BFEE07h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296391 second address: 2963AA instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8D4EECBD2h 0x00000008 jl 00007FB8D4EECBC6h 0x0000000e jnp 00007FB8D4EECBC6h 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2964EC second address: 2964F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2964F4 second address: 296500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB8D4EECBC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296500 second address: 29652B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007FB8D4BFEE01h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FB8D4BFEDFDh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 29652B second address: 296537 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB8D4EECBCEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296A74 second address: 296A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296A80 second address: 296AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FB8D4EECBD1h 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007FB8D4EECBC6h 0x00000013 jmp 00007FB8D4EECBD3h 0x00000018 ja 00007FB8D4EECBC6h 0x0000001e push esi 0x0000001f pop esi 0x00000020 popad 0x00000021 jnp 00007FB8D4EECBC8h 0x00000027 pushad 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296BE8 second address: 296BEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296BEE second address: 296C13 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8D4EECBD1h 0x00000008 push ecx 0x00000009 jmp 00007FB8D4EECBCFh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296D6C second address: 296D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE07h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 296D87 second address: 296DA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 258898 second address: 25889C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 297E4A second address: 297E4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 297E4F second address: 297E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 29AB03 second address: 29AB09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 29B043 second address: 29B047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 29B047 second address: 29B04D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2999DA second address: 2999E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 29B15A second address: 29B164 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB8D4EECBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A2C97 second address: 2A2C9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A2C9D second address: 2A2CA3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A2CA3 second address: 2A2CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A2CAD second address: 2A2CB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A2CB3 second address: 2A2CB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A20EB second address: 2A20F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A20F1 second address: 2A2113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FB8D4BFEE11h 0x0000000b jmp 00007FB8D4BFEE05h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A23BD second address: 2A23C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A23C2 second address: 2A23D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEDFDh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A23D5 second address: 2A23D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A255B second address: 2A2560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A4963 second address: 2A498A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FB8D4EECBD0h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jng 00007FB8D4EECBD0h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A4E0A second address: 2A4E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A58C8 second address: 2A58EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FB8D4EECBD1h 0x0000000c jmp 00007FB8D4EECBCBh 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 je 00007FB8D4EECBC8h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A58EE second address: 2A58F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A59BA second address: 2A59C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A5BFE second address: 2A5C69 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FB8D4BFEDF6h 0x0000000d jmp 00007FB8D4BFEE05h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 pushad 0x00000017 jmp 00007FB8D4BFEE02h 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e popad 0x0000001f push ebx 0x00000020 pushad 0x00000021 popad 0x00000022 pop ebx 0x00000023 popad 0x00000024 nop 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007FB8D4BFEDF8h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f pushad 0x00000040 stc 0x00000041 popad 0x00000042 xchg eax, ebx 0x00000043 pushad 0x00000044 pushad 0x00000045 push edx 0x00000046 pop edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A5C69 second address: 2A5C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB8D4EECBCEh 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A889C second address: 2A88A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A85D3 second address: 2A85DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A85DC second address: 2A85E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A85E0 second address: 2A85EE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A85EE second address: 2A85F8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A912B second address: 2A9130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A93A2 second address: 2A93A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9130 second address: 2A9157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBCAh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FB8D4EECBD1h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A93A6 second address: 2A93CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FB8D4BFEE04h 0x00000012 jc 00007FB8D4BFEDFCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A93CF second address: 2A943C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov dword ptr [ebp+12455A8Dh], eax 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+122D188Bh], ebx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FB8D4EECBC8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 xchg eax, ebx 0x00000031 pushad 0x00000032 pushad 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 pushad 0x00000039 jmp 00007FB8D4EECBD6h 0x0000003e push eax 0x0000003f pop eax 0x00000040 popad 0x00000041 popad 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FB8D4EECBCCh 0x0000004a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9EAD second address: 2A9EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9C59 second address: 2A9C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9EB1 second address: 2A9EC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FB8D4BFEDFCh 0x00000010 jns 00007FB8D4BFEDF6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9C5D second address: 2A9C66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9EC7 second address: 2A9ECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2A9ECD second address: 2A9ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AAA4D second address: 2AAA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AAA51 second address: 2AAA67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AAA67 second address: 2AAA93 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB8D4BFEDFAh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB8D4BFEE09h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AAB25 second address: 2AAB2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AE1A5 second address: 2AE1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AE75E second address: 2AE7EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8D4EECBD9h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e call 00007FB8D4EECBCFh 0x00000013 or di, 4549h 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FB8D4EECBC8h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 adc bh, FFFFFFC7h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007FB8D4EECBC8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 0000001Bh 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 xchg eax, esi 0x00000055 push eax 0x00000056 push edx 0x00000057 jne 00007FB8D4EECBCCh 0x0000005d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AE7EB second address: 2AE7F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AE7F0 second address: 2AE817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB8D4EECBD9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AE817 second address: 2AE82C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AFAA6 second address: 2AFAAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AEA7B second address: 2AEA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AEA7F second address: 2AEA85 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B19C2 second address: 2B1A3F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8D4BFEDFEh 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FB8D4BFEE00h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FB8D4BFEDF8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov ebx, esi 0x0000002f push 00000000h 0x00000031 mov edi, dword ptr [ebp+122D1A1Ah] 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007FB8D4BFEDF8h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 00000018h 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 mov ebx, edi 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B0C87 second address: 2B0C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B1A3F second address: 2B1A45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B1A45 second address: 2B1A6C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FB8D4EECBD3h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB8D4EECBCAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B3BA7 second address: 2B3BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB8D4BFEDF6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B2C9D second address: 2B2CA7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8D4EECBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B2CA7 second address: 2B2D86 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB8D4BFEDF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jg 00007FB8D4BFEE00h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007FB8D4BFEDF8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e mov ebx, dword ptr [ebp+122D289Ch] 0x00000034 push dword ptr fs:[00000000h] 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007FB8D4BFEDF8h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 00000015h 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 jmp 00007FB8D4BFEE03h 0x0000005a mov dword ptr fs:[00000000h], esp 0x00000061 xor dword ptr [ebp+122D21ABh], edx 0x00000067 mov eax, dword ptr [ebp+122D02DDh] 0x0000006d call 00007FB8D4BFEE07h 0x00000072 mov dword ptr [ebp+122D1871h], edi 0x00000078 pop ebx 0x00000079 push FFFFFFFFh 0x0000007b mov edi, 655DF01Dh 0x00000080 push eax 0x00000081 pushad 0x00000082 jmp 00007FB8D4BFEE07h 0x00000087 push eax 0x00000088 push edx 0x00000089 jmp 00007FB8D4BFEDFFh 0x0000008e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B3CCA second address: 2B3CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B2D86 second address: 2B2D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B4BB4 second address: 2B4BB9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B3CCE second address: 2B3CD8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B3CD8 second address: 2B3CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBD8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B3CF4 second address: 2B3D94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop ecx 0x00000011 jg 00007FB8D4BFEDFCh 0x00000017 popad 0x00000018 nop 0x00000019 cld 0x0000001a push dword ptr fs:[00000000h] 0x00000021 push esi 0x00000022 xor dword ptr [ebp+122D1C4Bh], ebx 0x00000028 pop edi 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007FB8D4BFEDF8h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov edi, ebx 0x0000004c mov eax, dword ptr [ebp+122D08ADh] 0x00000052 call 00007FB8D4BFEDFFh 0x00000057 pushad 0x00000058 adc ecx, 6622303Ah 0x0000005e add cl, FFFFFFABh 0x00000061 popad 0x00000062 pop edi 0x00000063 push FFFFFFFFh 0x00000065 nop 0x00000066 jmp 00007FB8D4BFEE01h 0x0000006b push eax 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f js 00007FB8D4BFEDF6h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B78BF second address: 2B78C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B8705 second address: 2B876B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FB8D4BFEDF8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov edi, dword ptr [ebp+122D26FAh] 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+12484C59h], edx 0x00000036 xchg eax, esi 0x00000037 pushad 0x00000038 push ebx 0x00000039 jmp 00007FB8D4BFEE05h 0x0000003e pop ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 jne 00007FB8D4BFEDF6h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B876B second address: 2B8783 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4EECBCDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B8783 second address: 2B878C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B878C second address: 2B8792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B5BA1 second address: 2B5BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B5BA7 second address: 2B5C4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e movzx edi, si 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FB8D4EECBC8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D1B0Ch], edi 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov edi, dword ptr [ebp+1245A27Dh] 0x00000045 mov eax, dword ptr [ebp+122D0819h] 0x0000004b push 00000000h 0x0000004d push esi 0x0000004e call 00007FB8D4EECBC8h 0x00000053 pop esi 0x00000054 mov dword ptr [esp+04h], esi 0x00000058 add dword ptr [esp+04h], 00000014h 0x00000060 inc esi 0x00000061 push esi 0x00000062 ret 0x00000063 pop esi 0x00000064 ret 0x00000065 mov dword ptr [ebp+122D2674h], edi 0x0000006b push FFFFFFFFh 0x0000006d pushad 0x0000006e and edi, 6A3909F2h 0x00000074 mov ah, bl 0x00000076 popad 0x00000077 mov ebx, dword ptr [ebp+122DB530h] 0x0000007d nop 0x0000007e js 00007FB8D4EECBD0h 0x00000084 push eax 0x00000085 push edx 0x00000086 pushad 0x00000087 popad 0x00000088 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2BA4F2 second address: 2BA4F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2BA4F6 second address: 2BA53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FB8D4EECBC8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov edi, 3193D034h 0x00000029 push 00000000h 0x0000002b mov di, E4D5h 0x0000002f push 00000000h 0x00000031 mov bx, ax 0x00000034 mov dword ptr [ebp+1245688Dh], esi 0x0000003a xchg eax, esi 0x0000003b push edi 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B7A2D second address: 2B7A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B7A31 second address: 2B7A35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B7A35 second address: 2B7ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 mov ebx, dword ptr [ebp+122D2AA0h] 0x0000000e jmp 00007FB8D4BFEE08h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov dword ptr [ebp+12452CEBh], eax 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 adc edi, 178A07E2h 0x0000002d mov eax, dword ptr [ebp+122D0F61h] 0x00000033 mov dword ptr [ebp+1245A351h], esi 0x00000039 push FFFFFFFFh 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007FB8D4BFEDF8h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 0000001Ch 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 mov edi, dword ptr [ebp+122D18D0h] 0x0000005b mov ebx, 2050BF5Eh 0x00000060 push eax 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FB8D4BFEE05h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2B7ACB second address: 2B7ACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2BC565 second address: 2BC56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2BD4C9 second address: 2BD54F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8D4EECBC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d jno 00007FB8D4EECBC6h 0x00000013 pop eax 0x00000014 pop ebx 0x00000015 nop 0x00000016 mov bx, si 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 movsx edi, dx 0x0000002a mov eax, dword ptr [ebp+122D130Dh] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007FB8D4EECBC8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push ebx 0x0000004f call 00007FB8D4EECBC8h 0x00000054 pop ebx 0x00000055 mov dword ptr [esp+04h], ebx 0x00000059 add dword ptr [esp+04h], 00000017h 0x00000061 inc ebx 0x00000062 push ebx 0x00000063 ret 0x00000064 pop ebx 0x00000065 ret 0x00000066 or ebx, dword ptr [ebp+122D2848h] 0x0000006c push eax 0x0000006d pushad 0x0000006e push edi 0x0000006f jbe 00007FB8D4EECBC6h 0x00000075 pop edi 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C6106 second address: 2C615B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFEh 0x00000007 push edx 0x00000008 je 00007FB8D4BFEDF6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007FB8D4BFEE06h 0x0000001b jmp 00007FB8D4BFEE00h 0x00000020 push eax 0x00000021 push edx 0x00000022 jp 00007FB8D4BFEDF6h 0x00000028 jmp 00007FB8D4BFEE09h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C615B second address: 2C615F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C615F second address: 2C616B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB8D4BFEDF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C616B second address: 2C6175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB8D4EECBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C92CD second address: 2C92E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d jl 00007FB8D4BFEDFCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C92E2 second address: 2C9341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a jo 00007FB8D4EECBC8h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007FB8D4EECBD4h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f jmp 00007FB8D4EECBD5h 0x00000024 jmp 00007FB8D4EECBCBh 0x00000029 popad 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FB8D4EECBCAh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C9341 second address: 2C9346 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C93EE second address: 2C93F8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB8D4EECBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C93F8 second address: 2C9456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FB8D4BFEE00h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jc 00007FB8D4BFEDFEh 0x00000014 jbe 00007FB8D4BFEDF8h 0x0000001a pushad 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 jmp 00007FB8D4BFEE09h 0x00000025 mov eax, dword ptr [eax] 0x00000027 jmp 00007FB8D4BFEE00h 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 push edx 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C9456 second address: 2C945C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2C951A second address: F2A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 xor dword ptr [esp], 18CCEA61h 0x0000000c jmp 00007FB8D4BFEDFBh 0x00000011 push dword ptr [ebp+122D0199h] 0x00000017 stc 0x00000018 call dword ptr [ebp+122D2D5Eh] 0x0000001e pushad 0x0000001f stc 0x00000020 xor eax, eax 0x00000022 or dword ptr [ebp+122D2573h], ecx 0x00000028 mov edx, dword ptr [esp+28h] 0x0000002c xor dword ptr [ebp+122D27B2h], edi 0x00000032 mov dword ptr [ebp+122D2A80h], eax 0x00000038 jp 00007FB8D4BFEE0Ah 0x0000003e jmp 00007FB8D4BFEE02h 0x00000043 mov esi, 0000003Ch 0x00000048 mov dword ptr [ebp+122D27B2h], ebx 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 pushad 0x00000053 xor si, C950h 0x00000058 mov ebx, 0AF191DCh 0x0000005d popad 0x0000005e lodsw 0x00000060 sub dword ptr [ebp+122D27B2h], eax 0x00000066 jo 00007FB8D4BFEE07h 0x0000006c jmp 00007FB8D4BFEE01h 0x00000071 add eax, dword ptr [esp+24h] 0x00000075 clc 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a jmp 00007FB8D4BFEE05h 0x0000007f nop 0x00000080 push edx 0x00000081 push ecx 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 267A6C second address: 267A72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 267A72 second address: 267A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FB8D4BFEE02h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D236C second address: 2D2372 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D25F1 second address: 2D2600 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007FB8D4BFEDF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2600 second address: 2D260A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2761 second address: 2D2779 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FB8D4BFEDFDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2B99 second address: 2D2BA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2BA0 second address: 2D2BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2D41 second address: 2D2D4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FB8D4EECBC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2E95 second address: 2D2E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D2E99 second address: 2D2E9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D8765 second address: 2D8769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D8769 second address: 2D877B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBCCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D74FB second address: 2D74FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D76AC second address: 2D76D8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8D4EECBC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB8D4EECBD3h 0x00000011 jp 00007FB8D4EECBC8h 0x00000017 popad 0x00000018 push ebx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D76D8 second address: 2D76FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB8D4BFEDF6h 0x0000000a jmp 00007FB8D4BFEE05h 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D7835 second address: 2D783B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D783B second address: 2D7847 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D7847 second address: 2D785A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBCDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D7CC8 second address: 2D7CD8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FB8D4BFEDFEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D7CD8 second address: 2D7CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2D8603 second address: 2D8607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2DE1B4 second address: 2DE1C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FB8D4EECBC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2DE1C4 second address: 2DE1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AC84F second address: 2AC853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AC853 second address: 2AC86B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AC86B second address: 2AC8E0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB8D4EECBC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FB8D4EECBC8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 pushad 0x00000028 mov ebx, 79F4087Ah 0x0000002d mov bl, D7h 0x0000002f popad 0x00000030 mov ecx, ebx 0x00000032 lea eax, dword ptr [ebp+1248D5C7h] 0x00000038 mov dword ptr [ebp+12467CE4h], edi 0x0000003e nop 0x0000003f jng 00007FB8D4EECBD4h 0x00000045 jmp 00007FB8D4EECBCEh 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007FB8D4EECBD3h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ACFDA second address: 2ACFDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ACFDE second address: 2ACFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d pop edi 0x0000000e xchg eax, esi 0x0000000f add dx, 8227h 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 jno 00007FB8D4EECBC6h 0x0000001e pop esi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ACFFD second address: 2AD014 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB8D4BFEDF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jc 00007FB8D4BFEDF6h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AD1D3 second address: 2AD1D8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA12 second address: 2ADA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB8D4BFEDF6h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA23 second address: 2ADA4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4EECBCEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA4B second address: 2ADA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA4F second address: 2ADA6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov ecx, dword ptr [ebp+122D1B5Ch] 0x0000000e lea eax, dword ptr [ebp+1248D60Bh] 0x00000014 adc cx, 52E6h 0x00000019 push eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA6E second address: 2ADA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA72 second address: 2ADA8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ADA8A second address: 28FE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FB8D4BFEDF8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D19E1h], esi 0x00000029 lea eax, dword ptr [ebp+1248D5C7h] 0x0000002f sub dword ptr [ebp+1245EC06h], edx 0x00000035 nop 0x00000036 jmp 00007FB8D4BFEE09h 0x0000003b push eax 0x0000003c ja 00007FB8D4BFEE06h 0x00000042 nop 0x00000043 movsx edi, ax 0x00000046 call dword ptr [ebp+122D2D7Bh] 0x0000004c push eax 0x0000004d push edx 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 pop edx 0x00000052 jmp 00007FB8D4BFEE04h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1B03 second address: 2E1B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1B09 second address: 2E1B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1B0D second address: 2E1B2F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8D4EECBCEh 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FB8D4EECBCCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1B2F second address: 2E1B40 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8D4BFEDFCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1E22 second address: 2E1E31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnc 00007FB8D4EECBC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1E31 second address: 2E1E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007FB8D4BFEDFCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E1FDE second address: 2E1FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E95ED second address: 2E95F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E989C second address: 2E98AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBCAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E98AA second address: 2E98F0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FB8D4BFEDFEh 0x0000000c jmp 00007FB8D4BFEE07h 0x00000011 push eax 0x00000012 jmp 00007FB8D4BFEE08h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2E9E7D second address: 2E9E81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2EA2B4 second address: 2EA2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 26436C second address: 264372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ED990 second address: 2ED99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ED99A second address: 2ED9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2ED9A4 second address: 2ED9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2EFC2F second address: 2EFC39 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4CB5 second address: 2F4CD3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8D4BFEE04h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FB8D4BFEDFCh 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007FB8D4BFEDF6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4039 second address: 2F403E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F403E second address: 2F4059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE07h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4211 second address: 2F4233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8D4EECBD9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4233 second address: 2F423F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F423F second address: 2F4243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4243 second address: 2F424C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F439C second address: 2F43A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB8D4EECBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F43A6 second address: 2F43BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FB8D4BFEDF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F43BA second address: 2F43BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F4568 second address: 2F456C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F482F second address: 2F4847 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F99BC second address: 2F99C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9C5F second address: 2F9C71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8D4EECBCCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9C71 second address: 2F9C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB8D4BFEDF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9C7D second address: 2F9C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9C81 second address: 2F9C85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9C85 second address: 2F9CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB8D4EECBD9h 0x0000000e jmp 00007FB8D4EECBCEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9DEA second address: 2F9E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jns 00007FB8D4BFEDF6h 0x0000000f pop ebx 0x00000010 popad 0x00000011 jg 00007FB8D4BFEE10h 0x00000017 jg 00007FB8D4BFEDFCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9E09 second address: 2F9E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8D4EECBCEh 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2F9F68 second address: 2F9F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FA0BD second address: 2FA0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FA0C3 second address: 2FA0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FB8D4BFEE08h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AD549 second address: 2AD584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007FB8D4EECBD2h 0x00000011 nop 0x00000012 mov ecx, eax 0x00000014 call 00007FB8D4EECBCAh 0x00000019 mov ecx, 65CA761Eh 0x0000001e pop ecx 0x0000001f push 00000004h 0x00000021 adc ch, FFFFFFBCh 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AD584 second address: 2AD58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2AD58B second address: 2AD5B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jne 00007FB8D4EECBCCh 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FDD8A second address: 2FDD98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 jc 00007FB8D4BFEE02h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FDD98 second address: 2FDDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8D4EECBC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007FB8D4EECC02h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB8D4EECBCCh 0x00000019 jns 00007FB8D4EECBC6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FDDBE second address: 2FDDC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FDDC2 second address: 2FDDDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB8D4EECBD0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FDDDC second address: 2FDDE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FD513 second address: 2FD517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FD517 second address: 2FD523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 2FD523 second address: 2FD53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBD3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 304FA4 second address: 304FB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFAh 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3030C8 second address: 3030D4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB8D4EECBC6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 30353A second address: 303555 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FB8D4BFEDF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007FB8D4BFEDFAh 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 303555 second address: 303589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4EECBCEh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FB8D4EECBDEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 303E87 second address: 303E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8D4BFEDFBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 303E99 second address: 303EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8D4EECBCBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 304C41 second address: 304C67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE07h 0x00000007 jmp 00007FB8D4BFEDFBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 304C67 second address: 304C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FB8D4EECBC6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jmp 00007FB8D4EECBCFh 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 30939C second address: 3093A6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 265F07 second address: 265F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 265F0B second address: 265F39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE03h 0x00000007 jmp 00007FB8D4BFEE07h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 31603F second address: 31605A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 31605A second address: 31606D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8D4BFEDFBh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 31646D second address: 3164A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FB8D4EECBD4h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 316649 second address: 316653 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB8D4BFEE02h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 316653 second address: 316659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 316659 second address: 316669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FB8D4BFEE12h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 316669 second address: 316677 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FB8D4EECBD2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3167FF second address: 316818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB8D4BFEE00h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 31761E second address: 317649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCFh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBD4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 315509 second address: 315528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB8D4BFEDF6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4BFEE00h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 31AB0F second address: 31AB1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 320B40 second address: 320B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 320B44 second address: 320B6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD2h 0x00000007 ja 00007FB8D4EECBC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jne 00007FB8D4EECBC6h 0x00000016 jo 00007FB8D4EECBC6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 320B6F second address: 320B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8D4BFEDFEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3208A4 second address: 3208B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FB8D4EECBCCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32F25E second address: 32F262 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32F262 second address: 32F26C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32F26C second address: 32F270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32EB84 second address: 32EB88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32EB88 second address: 32EB9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8D4BFEDFFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32ED36 second address: 32ED41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8D4EECBC6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 32ED41 second address: 32ED5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE07h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 332051 second address: 332055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 25F31B second address: 25F334 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8D4BFEE00h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 25F334 second address: 25F341 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB8D4EECBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 331EE1 second address: 331EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 331EE5 second address: 331EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 331EE9 second address: 331F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4BFEE08h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3355BF second address: 3355D1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jbe 00007FB8D4EECBC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3355D1 second address: 3355E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FB8D4BFEDFAh 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 33DF3E second address: 33DF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 342D22 second address: 342D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 342D28 second address: 342D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 256E38 second address: 256E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4BFEDFEh 0x00000009 popad 0x0000000a jns 00007FB8D4BFEDFEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 js 00007FB8D4BFEDF6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 342BC8 second address: 342BEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 js 00007FB8D4EECBC6h 0x0000000b jmp 00007FB8D4EECBD3h 0x00000010 popad 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3442BC second address: 3442C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3442C2 second address: 3442C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3442C8 second address: 3442D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 346C24 second address: 346C4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB8D4EECBD4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 351071 second address: 35108B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE06h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 35108B second address: 35108F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 35108F second address: 3510AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8D4BFEE02h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3510AB second address: 3510AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 34FB97 second address: 34FB9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 34FB9B second address: 34FBAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB8D4EECBC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 34FFE5 second address: 34FFEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 35013C second address: 350147 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 355E0B second address: 355E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 357837 second address: 35783B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 35783B second address: 357841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 357841 second address: 35784B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FB8D4EECBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 357984 second address: 357993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FB8D4BFEDF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38D75A second address: 38D75F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38C94A second address: 38C94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38C94E second address: 38C954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38CF9C second address: 38CFBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FB8D4BFEE02h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38CFBB second address: 38CFCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FB8D4EECBC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38CFCA second address: 38CFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38D2BF second address: 38D2D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB8D4EECBCEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38D2D7 second address: 38D2F4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8D4BFEDFFh 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 38D2F4 second address: 38D30C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB8D4EECBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007FB8D4EECBC6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 39174B second address: 39174F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 39174F second address: 391755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 3917C9 second address: 3917E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push ecx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391A13 second address: 391A80 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007FB8D4EECBC6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f and edx, dword ptr [ebp+122D25DBh] 0x00000015 push 00000004h 0x00000017 push edi 0x00000018 stc 0x00000019 pop edx 0x0000001a call 00007FB8D4EECBC9h 0x0000001f jmp 00007FB8D4EECBD9h 0x00000024 push eax 0x00000025 jmp 00007FB8D4EECBD3h 0x0000002a mov eax, dword ptr [esp+04h] 0x0000002e jne 00007FB8D4EECBD1h 0x00000034 mov eax, dword ptr [eax] 0x00000036 pushad 0x00000037 pushad 0x00000038 pushad 0x00000039 popad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391A80 second address: 391A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FB8D4BFEDF6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391A8D second address: 391AB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jng 00007FB8D4EECBE9h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB8D4EECBD7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391CFD second address: 391D0B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391D0B second address: 391D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 391D0F second address: 391D40 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB8D4BFEDF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edx, dword ptr [ebp+122D2B0Ch] 0x00000014 push dword ptr [ebp+122D27A4h] 0x0000001a pushad 0x0000001b mov edi, dword ptr [ebp+122D2AE4h] 0x00000021 mov dword ptr [ebp+122D1C01h], edi 0x00000027 popad 0x00000028 push AD5866B3h 0x0000002d push edi 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0DC3 second address: 49F0DC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A4078A second address: 4A407B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB8D4BFEE01h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A407B2 second address: 4A407FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FB8D4EECBCFh 0x0000000b jmp 00007FB8D4EECBD3h 0x00000010 popfd 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 mov dx, cx 0x00000018 pushad 0x00000019 jmp 00007FB8D4EECBCEh 0x0000001e mov esi, 4A2A2F01h 0x00000023 popad 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A407FF second address: 4A40818 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49B0C10 second address: 49B0C2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49B0C2B second address: 49B0C74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movzx eax, bx 0x0000000d pushfd 0x0000000e jmp 00007FB8D4BFEE09h 0x00000013 jmp 00007FB8D4BFEDFBh 0x00000018 popfd 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov edx, eax 0x00000020 jmp 00007FB8D4BFEDFEh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49B0C74 second address: 49B0D1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBCDh 0x00000009 add cx, 1C46h 0x0000000e jmp 00007FB8D4EECBD1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 movzx ecx, dx 0x0000001c mov di, 80FCh 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FB8D4EECBD1h 0x0000002a sub eax, 1C4B5456h 0x00000030 jmp 00007FB8D4EECBD1h 0x00000035 popfd 0x00000036 pushfd 0x00000037 jmp 00007FB8D4EECBD0h 0x0000003c adc esi, 44C98E78h 0x00000042 jmp 00007FB8D4EECBCBh 0x00000047 popfd 0x00000048 popad 0x00000049 push dword ptr [ebp+04h] 0x0000004c pushad 0x0000004d pushad 0x0000004e jmp 00007FB8D4EECBD2h 0x00000053 popad 0x00000054 mov bh, ah 0x00000056 popad 0x00000057 push dword ptr [ebp+0Ch] 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49B0D1E second address: 49B0D30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49B0D30 second address: 49B0D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8D4EECBD1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0A7E second address: 49F0A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0A86 second address: 49F0A9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 107Ch 0x00000007 movsx ebx, si 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ecx, edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0A9A second address: 49F0AC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, E4h 0x00000005 movsx ebx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB8D4BFEDFCh 0x00000015 adc ch, FFFFFFF8h 0x00000018 jmp 00007FB8D4BFEDFBh 0x0000001d popfd 0x0000001e movzx ecx, di 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0AC9 second address: 49F0ACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E09CD second address: 49E09D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E09D3 second address: 49E09E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E09E4 second address: 49E0A50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e movzx esi, di 0x00000011 pushfd 0x00000012 jmp 00007FB8D4BFEE09h 0x00000017 adc cx, 0CC6h 0x0000001c jmp 00007FB8D4BFEE01h 0x00000021 popfd 0x00000022 popad 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FB8D4BFEE08h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E0A50 second address: 49E0A5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E0A5F second address: 49E0A65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E0A65 second address: 49E0A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30E64 second address: 4A30E68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30E68 second address: 4A30E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30E6E second address: 4A30E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30E74 second address: 4A30E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30E78 second address: 4A30EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b jmp 00007FB8D4BFEE02h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007FB8D4BFEE00h 0x00000018 adc esi, 01C0C198h 0x0000001e jmp 00007FB8D4BFEDFBh 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30EBA second address: 4A30EF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBD7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B33 second address: 49F0B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B45 second address: 49F0B4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B4B second address: 49F0B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B4F second address: 49F0B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B5E second address: 49F0B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B62 second address: 49F0B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B68 second address: 49F0B6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B6E second address: 49F0B91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FB8D4EECBD0h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B91 second address: 49F0B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0B95 second address: 49F0BB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0BB2 second address: 49F0C23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB8D4BFEE03h 0x00000013 add esi, 5DB726AEh 0x00000019 jmp 00007FB8D4BFEE09h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FB8D4BFEE00h 0x00000025 add ecx, 6ECEE028h 0x0000002b jmp 00007FB8D4BFEDFBh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A4029F second address: 4A402AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A402AE second address: 4A402B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A402B4 second address: 4A402B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A402B8 second address: 4A40321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d call 00007FB8D4BFEDFFh 0x00000012 pushfd 0x00000013 jmp 00007FB8D4BFEE08h 0x00000018 or eax, 36307F58h 0x0000001e jmp 00007FB8D4BFEDFBh 0x00000023 popfd 0x00000024 pop eax 0x00000025 call 00007FB8D4BFEE09h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A40321 second address: 4A403A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 call 00007FB8D4EECBD3h 0x0000000d pushfd 0x0000000e jmp 00007FB8D4EECBD8h 0x00000013 xor eax, 3879E348h 0x00000019 jmp 00007FB8D4EECBCBh 0x0000001e popfd 0x0000001f pop eax 0x00000020 jmp 00007FB8D4EECBD9h 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 jmp 00007FB8D4EECBCEh 0x0000002d mov eax, dword ptr [ebp+08h] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FB8D4EECBCAh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A403A3 second address: 4A403A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A403A9 second address: 4A403F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 call 00007FB8D4EECBD3h 0x00000015 movzx eax, bx 0x00000018 pop edi 0x00000019 popad 0x0000001a and dword ptr [eax+04h], 00000000h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB8D4EECBD7h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A403F7 second address: 4A403FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A403FF second address: 4A4040D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A4040D second address: 4A40411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A40411 second address: 4A40415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A40415 second address: 4A4041B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A4041B second address: 4A4042D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBCEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A4042D second address: 4A40431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E086F second address: 49E08E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 pushfd 0x00000007 jmp 00007FB8D4EECBD3h 0x0000000c adc al, 0000007Eh 0x0000000f jmp 00007FB8D4EECBD9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FB8D4EECBCEh 0x0000001e push eax 0x0000001f pushad 0x00000020 call 00007FB8D4EECBCCh 0x00000025 mov dl, cl 0x00000027 pop edi 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FB8D4EECBD4h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E08E3 second address: 49E08F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307A6 second address: 4A307AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307AD second address: 4A307C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov dx, D90Ch 0x0000000f mov edx, 4DDC79F8h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307C2 second address: 4A307D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307D3 second address: 4A307D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307D7 second address: 4A307F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4EECBD3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307F5 second address: 4A307FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A307FB second address: 4A30810 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4EECBCAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30810 second address: 4A30816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30816 second address: 4A3081A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3081A second address: 4A3081E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A10DF3 second address: 4A10DF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0113 second address: 49C0117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0117 second address: 49C012A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C012A second address: 49C0130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0130 second address: 49C0134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0134 second address: 49C0167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx ecx, bx 0x0000000d pushad 0x0000000e mov ecx, edi 0x00000010 mov eax, edi 0x00000012 popad 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007FB8D4BFEDFDh 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB8D4BFEDFDh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0167 second address: 49C0185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0185 second address: 49C0189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0189 second address: 49C018D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C018D second address: 49C0193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0193 second address: 49C01C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov cl, A3h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b jmp 00007FB8D4EECBD6h 0x00000010 mov dword ptr [esp], ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB8D4EECBCCh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C01C6 second address: 49C0232 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB8D4BFEE02h 0x00000008 or al, 00000078h 0x0000000b jmp 00007FB8D4BFEDFBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 mov dl, 18h 0x00000016 pop ecx 0x00000017 popad 0x00000018 push ebx 0x00000019 pushad 0x0000001a mov eax, 194A2AF9h 0x0000001f popad 0x00000020 mov dword ptr [esp], ebx 0x00000023 pushad 0x00000024 movzx eax, dx 0x00000027 pushfd 0x00000028 jmp 00007FB8D4BFEE03h 0x0000002d jmp 00007FB8D4BFEE03h 0x00000032 popfd 0x00000033 popad 0x00000034 mov ebx, dword ptr [ebp+10h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0232 second address: 49C0238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0238 second address: 49C023E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C023E second address: 49C0242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0242 second address: 49C0251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0251 second address: 49C0255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0255 second address: 49C0272 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0272 second address: 49C02B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB8D4EECBD1h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB8D4EECBD8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C02B6 second address: 49C02C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C02C5 second address: 49C032E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007FB8D4EECBCEh 0x00000011 xchg eax, edi 0x00000012 jmp 00007FB8D4EECBD0h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FB8D4EECBCCh 0x00000021 jmp 00007FB8D4EECBD5h 0x00000026 popfd 0x00000027 mov edx, esi 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C032E second address: 49C0346 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0346 second address: 49C034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C034A second address: 49C0350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C0350 second address: 49C03A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov di, si 0x0000000f mov ch, AFh 0x00000011 popad 0x00000012 je 00007FB94828AE6Ch 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FB8D4EECBCBh 0x0000001f xor ecx, 6E59C4AEh 0x00000025 jmp 00007FB8D4EECBD9h 0x0000002a popfd 0x0000002b push eax 0x0000002c push edx 0x0000002d mov dl, al 0x0000002f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C03A6 second address: 49C03F1 instructions: 0x00000000 rdtsc 0x00000002 mov dh, 32h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FB8D4BFEE07h 0x00000017 adc ecx, 0D3ACF6Eh 0x0000001d jmp 00007FB8D4BFEE09h 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49C03F1 second address: 49C03F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0014 second address: 49F001A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F001A second address: 49F001E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F001E second address: 49F0051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FB8D4BFEDFEh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB8D4BFEDFEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0051 second address: 49F0057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0057 second address: 49F005B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F005B second address: 49F006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F006A second address: 49F0070 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0070 second address: 49F00C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FB8D4EECBCEh 0x00000010 and esp, FFFFFFF8h 0x00000013 jmp 00007FB8D4EECBD0h 0x00000018 xchg eax, ebx 0x00000019 jmp 00007FB8D4EECBD0h 0x0000001e push eax 0x0000001f jmp 00007FB8D4EECBCBh 0x00000024 xchg eax, ebx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F00C7 second address: 49F0146 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB8D4BFEDFEh 0x00000008 jmp 00007FB8D4BFEE05h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 mov di, 1222h 0x00000015 pop ebx 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 jmp 00007FB8D4BFEE06h 0x0000001d push eax 0x0000001e pushad 0x0000001f mov ebx, 00679264h 0x00000024 pushfd 0x00000025 jmp 00007FB8D4BFEDFDh 0x0000002a xor cx, 36A6h 0x0000002f jmp 00007FB8D4BFEE01h 0x00000034 popfd 0x00000035 popad 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov ax, di 0x0000003d mov ax, bx 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0146 second address: 49F0161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBD7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0161 second address: 49F017E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4BFEE00h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F017E second address: 49F01BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBD1h 0x00000009 adc cl, FFFFFFC6h 0x0000000c jmp 00007FB8D4EECBD1h 0x00000011 popfd 0x00000012 mov ecx, 1447EB77h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a sub ebx, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ax, 268Bh 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F01BC second address: 49F021F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4BFEDFDh 0x00000009 jmp 00007FB8D4BFEDFBh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007FB8D4BFEE08h 0x00000015 xor ax, B0F8h 0x0000001a jmp 00007FB8D4BFEDFBh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 test esi, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FB8D4BFEE05h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F021F second address: 49F023F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FB948252D20h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F023F second address: 49F0275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FB8D4BFEE09h 0x0000000a xor si, C1A6h 0x0000000f jmp 00007FB8D4BFEE01h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0275 second address: 49F02BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FB8D4EECBCEh 0x00000015 mov ecx, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FB8D4EECBD7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F02BA second address: 49F02D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 3Ch 0x00000005 mov esi, 2AECC497h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007FB947F64ED2h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F02D3 second address: 49F02D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F02D7 second address: 49F02DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F02DD second address: 49F031A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007FB8D4EECBCAh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test byte ptr [77DE6968h], 00000002h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FB8D4EECBCAh 0x0000001e xor ecx, 006AC668h 0x00000024 jmp 00007FB8D4EECBCBh 0x00000029 popfd 0x0000002a mov edx, eax 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F031A second address: 49F032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE00h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F032E second address: 49F0357 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FB948252C46h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edx, esi 0x00000013 call 00007FB8D4EECBD4h 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0357 second address: 49F035D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F035D second address: 49F0361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0361 second address: 49F0365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F0365 second address: 49F037B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edx, 655AF896h 0x00000013 push edx 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49F04B5 second address: 49F04BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D67 second address: 49D0D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D6B second address: 49D0D6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D6F second address: 49D0D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D75 second address: 49D0D7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D7B second address: 49D0D93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBCBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D93 second address: 49D0D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49D0D99 second address: 49D0D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50EE9 second address: 4A50F36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB8D4BFEDFEh 0x0000000f push eax 0x00000010 jmp 00007FB8D4BFEDFBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB8D4BFEE00h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50F36 second address: 4A50F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50F3A second address: 4A50F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50F40 second address: 4A50F51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50212 second address: 4A50218 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50218 second address: 4A50299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007FB8D4EECBCEh 0x00000010 mov ch, 98h 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FB8D4EECBD3h 0x0000001c or esi, 7E17479Eh 0x00000022 jmp 00007FB8D4EECBD9h 0x00000027 popfd 0x00000028 mov edx, esi 0x0000002a popad 0x0000002b pop ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FB8D4EECBD9h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A50299 second address: 4A5029F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 49E06BE second address: 49E06F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FB8D4EECBD4h 0x00000009 pop eax 0x0000000a popad 0x0000000b popad 0x0000000c push ebp 0x0000000d pushad 0x0000000e call 00007FB8D4EECBD3h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A505D9 second address: 4A505E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A204BD second address: 4A205BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c mov edx, ecx 0x0000000e pop ecx 0x0000000f mov esi, edx 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FB8D4EECBD7h 0x0000001a xor esi, 48122C7Eh 0x00000020 jmp 00007FB8D4EECBD9h 0x00000025 popfd 0x00000026 call 00007FB8D4EECBD0h 0x0000002b pushad 0x0000002c popad 0x0000002d pop eax 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 mov ebx, 69726590h 0x00000037 call 00007FB8D4EECBD9h 0x0000003c mov di, si 0x0000003f pop eax 0x00000040 popad 0x00000041 and esp, FFFFFFF0h 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007FB8D4EECBD4h 0x0000004b jmp 00007FB8D4EECBD5h 0x00000050 popfd 0x00000051 popad 0x00000052 sub esp, 44h 0x00000055 jmp 00007FB8D4EECBCEh 0x0000005a xchg eax, ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e pushfd 0x0000005f jmp 00007FB8D4EECBD9h 0x00000064 jmp 00007FB8D4EECBCBh 0x00000069 popfd 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A205BB second address: 4A205D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEE04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A205D3 second address: 4A205D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A205D7 second address: 4A205EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4BFEDFDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A205EF second address: 4A206BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBD7h 0x00000009 and ch, FFFFFFCEh 0x0000000c jmp 00007FB8D4EECBD9h 0x00000011 popfd 0x00000012 jmp 00007FB8D4EECBD0h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c jmp 00007FB8D4EECBCEh 0x00000021 mov bx, cx 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 pushad 0x00000027 mov ch, 45h 0x00000029 push ebx 0x0000002a jmp 00007FB8D4EECBD2h 0x0000002f pop eax 0x00000030 popad 0x00000031 push eax 0x00000032 pushad 0x00000033 call 00007FB8D4EECBCEh 0x00000038 call 00007FB8D4EECBD2h 0x0000003d pop eax 0x0000003e pop edx 0x0000003f mov ecx, 4A39B277h 0x00000044 popad 0x00000045 xchg eax, esi 0x00000046 pushad 0x00000047 pushad 0x00000048 mov esi, 2746AB05h 0x0000004d mov cx, F281h 0x00000051 popad 0x00000052 mov cx, 35BDh 0x00000056 popad 0x00000057 xchg eax, edi 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FB8D4EECBD2h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A206BA second address: 4A206C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A206C9 second address: 4A206E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A206E1 second address: 4A206E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A206E5 second address: 4A206FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB8D4EECBCDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A206FD second address: 4A2072F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB8D4BFEE08h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2072F second address: 4A20735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20735 second address: 4A207BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FB8D4BFEE08h 0x0000000b sbb cx, BA48h 0x00000010 jmp 00007FB8D4BFEDFBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov edi, dword ptr [ebp+08h] 0x0000001c jmp 00007FB8D4BFEE06h 0x00000021 mov dword ptr [esp+24h], 00000000h 0x00000029 jmp 00007FB8D4BFEE00h 0x0000002e lock bts dword ptr [edi], 00000000h 0x00000033 jmp 00007FB8D4BFEE00h 0x00000038 jc 00007FB947EE0A7Ch 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 mov dl, 97h 0x00000043 mov bx, cx 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A207BC second address: 4A207CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4EECBCEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A207CE second address: 4A20801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEDFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c jmp 00007FB8D4BFEE06h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov dl, 63h 0x00000017 mov cx, 6355h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20801 second address: 4A20807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20807 second address: 4A2080B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2080B second address: 4A20823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBCBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20823 second address: 4A20840 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20840 second address: 4A20866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBCDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20866 second address: 4A208CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4BFEE07h 0x00000009 or eax, 28F4B22Eh 0x0000000f jmp 00007FB8D4BFEE09h 0x00000014 popfd 0x00000015 jmp 00007FB8D4BFEE00h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB8D4BFEE07h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A200A8 second address: 4A2010B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBD8h 0x00000009 sbb eax, 01A69F68h 0x0000000f jmp 00007FB8D4EECBCBh 0x00000014 popfd 0x00000015 mov ax, 515Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e jmp 00007FB8D4EECBD2h 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB8D4EECBD7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2010B second address: 4A20133 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov ax, 640Fh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20133 second address: 4A20139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20139 second address: 4A2013D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2013D second address: 4A20141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20141 second address: 4A2014F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2014F second address: 4A20159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 0EACBB91h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20159 second address: 4A20218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FB8D4BFEE04h 0x00000011 and al, 00000048h 0x00000014 jmp 00007FB8D4BFEDFBh 0x00000019 popfd 0x0000001a mov edi, ecx 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007FB8D4BFEE05h 0x00000023 xchg eax, esi 0x00000024 pushad 0x00000025 push esi 0x00000026 push ebx 0x00000027 pop eax 0x00000028 pop ebx 0x00000029 pushfd 0x0000002a jmp 00007FB8D4BFEE04h 0x0000002f jmp 00007FB8D4BFEE05h 0x00000034 popfd 0x00000035 popad 0x00000036 mov esi, dword ptr [ebp+08h] 0x00000039 jmp 00007FB8D4BFEDFEh 0x0000003e sub ecx, ecx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007FB8D4BFEDFAh 0x00000049 add si, 4598h 0x0000004e jmp 00007FB8D4BFEDFBh 0x00000053 popfd 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20218 second address: 4A2021E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2021E second address: 4A20222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20222 second address: 4A20231 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, edx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20231 second address: 4A20283 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB8D4BFEE09h 0x0000000f xchg eax, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB8D4BFEE08h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20283 second address: 4A20292 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20292 second address: 4A202BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, 00000001h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov dh, EBh 0x00000013 mov eax, 56FD3ADBh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A202BF second address: 4A202EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [esi], ecx 0x0000000d jmp 00007FB8D4EECBCEh 0x00000012 mov ecx, eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A202EE second address: 4A202F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A202F2 second address: 4A2030F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A2030F second address: 4A20332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp ecx, 01h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, CBFEh 0x00000013 movsx edx, si 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20332 second address: 4A20352 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FB9481CEE4Dh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20352 second address: 4A20356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20356 second address: 4A203E2 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB8D4EECBD8h 0x00000008 and esi, 255B9A28h 0x0000000e jmp 00007FB8D4EECBCBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007FB8D4EECBD8h 0x0000001c adc ah, FFFFFF88h 0x0000001f jmp 00007FB8D4EECBCBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edi 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FB8D4EECBCBh 0x00000030 adc ax, 08CEh 0x00000035 jmp 00007FB8D4EECBD9h 0x0000003a popfd 0x0000003b mov ax, 62D7h 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A203E2 second address: 4A203E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A203E8 second address: 4A20402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8D4EECBCDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20402 second address: 4A20408 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A20408 second address: 4A20470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 jmp 00007FB8D4EECBCFh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FB8D4EECBCBh 0x00000018 jmp 00007FB8D4EECBD3h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FB8D4EECBD8h 0x00000024 and eax, 01F41868h 0x0000002a jmp 00007FB8D4EECBCBh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3001F second address: 4A3007C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB8D4BFEE08h 0x00000008 and si, DD98h 0x0000000d jmp 00007FB8D4BFEDFBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FB8D4BFEE04h 0x0000001e xor cx, 07F8h 0x00000023 jmp 00007FB8D4BFEDFBh 0x00000028 popfd 0x00000029 pushad 0x0000002a mov dx, ax 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3007C second address: 4A300D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FB8D4EECBD1h 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 mov edi, eax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 jmp 00007FB8D4EECBD2h 0x0000001b push FFFFFFFEh 0x0000001d pushad 0x0000001e mov cl, 3Eh 0x00000020 jmp 00007FB8D4EECBD3h 0x00000025 popad 0x00000026 call 00007FB8D4EECBC9h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A300D8 second address: 4A300DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A300DC second address: 4A300F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A300F7 second address: 4A300FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A300FD second address: 4A30101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30101 second address: 4A301D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB8D4BFEDFEh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FB8D4BFEE01h 0x00000019 adc cx, 0216h 0x0000001e jmp 00007FB8D4BFEE01h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007FB8D4BFEE00h 0x0000002a or si, 7638h 0x0000002f jmp 00007FB8D4BFEDFBh 0x00000034 popfd 0x00000035 popad 0x00000036 mov eax, dword ptr [eax] 0x00000038 jmp 00007FB8D4BFEE09h 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 pushad 0x00000042 mov di, 4862h 0x00000046 pushfd 0x00000047 jmp 00007FB8D4BFEE03h 0x0000004c add si, 795Eh 0x00000051 jmp 00007FB8D4BFEE09h 0x00000056 popfd 0x00000057 popad 0x00000058 pop eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FB8D4BFEDFDh 0x00000060 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A301D1 second address: 4A30249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBD7h 0x00000009 and ax, B41Eh 0x0000000e jmp 00007FB8D4EECBD9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FB8D4EECBD0h 0x0000001a sub ax, 3A18h 0x0000001f jmp 00007FB8D4EECBCBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 push 2651A557h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FB8D4EECBD2h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30249 second address: 4A3024F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3024F second address: 4A30253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30253 second address: 4A30257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30257 second address: 4A3027A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 518208A9h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop edi 0x00000014 jmp 00007FB8D4EECBCEh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3027A second address: 4A3028C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8D4BFEDFEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3028C second address: 4A30290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30290 second address: 4A302AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000000h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB8D4BFEDFAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A302AA second address: 4A302BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4EECBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A302BF second address: 4A30373 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 0FCF4167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, ecx 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FB8D4BFEE09h 0x00000012 nop 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FB8D4BFEDFCh 0x0000001a adc cx, 2DF8h 0x0000001f jmp 00007FB8D4BFEDFBh 0x00000024 popfd 0x00000025 movzx eax, dx 0x00000028 popad 0x00000029 sub esp, 1Ch 0x0000002c jmp 00007FB8D4BFEDFBh 0x00000031 xchg eax, ebx 0x00000032 jmp 00007FB8D4BFEE06h 0x00000037 push eax 0x00000038 jmp 00007FB8D4BFEDFBh 0x0000003d xchg eax, ebx 0x0000003e pushad 0x0000003f mov ax, 711Bh 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007FB8D4BFEDFEh 0x0000004a jmp 00007FB8D4BFEE05h 0x0000004f popfd 0x00000050 mov cx, C9D7h 0x00000054 popad 0x00000055 popad 0x00000056 xchg eax, esi 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30373 second address: 4A30377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A30377 second address: 4A3037D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A3037D second address: 4A303E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB8D4EECBCCh 0x00000009 adc ch, 00000078h 0x0000000c jmp 00007FB8D4EECBCBh 0x00000011 popfd 0x00000012 push eax 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007FB8D4EECBD5h 0x0000001d xchg eax, esi 0x0000001e jmp 00007FB8D4EECBCEh 0x00000023 xchg eax, edi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB8D4EECBD7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	RDTSC instruction interceptor: First address: 4A303E0 second address: 4A3046F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8D4BFEE09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ecx, edi 0x0000000d pushfd 0x0000000e jmp 00007FB8D4BFEE03h 0x00000013 sbb ax, 4F5Eh 0x00000018 jmp 00007FB8D4BFEE09h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, edi 0x00000020 jmp 00007FB8D4BFEDFEh 0x00000025 mov eax, dword ptr [77DEB370h] 0x0000002a jmp 00007FB8D4BFEE00h 0x0000002f xor dword ptr [ebp-08h], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 jmp 00007FB8D4BFEDFDh 0x0000003a push eax 0x0000003b pop edx 0x0000003c popad 0x0000003d rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Special instruction interceptor: First address: F2AAD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Special instruction interceptor: First address: 299824 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: DF2AAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: F99824 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Special instruction interceptor: First address: 5D5D9E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Special instruction interceptor: First address: 5D5C90 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Special instruction interceptor: First address: 786BE6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Special instruction interceptor: First address: 814C5D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Special instruction interceptor: First address: 48FC87 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Special instruction interceptor: First address: 64CBE2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Special instruction interceptor: First address: 6A9DBC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Special instruction interceptor: First address: 98DB7D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Special instruction interceptor: First address: B42DAF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Special instruction interceptor: First address: 98DA9D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Special instruction interceptor: First address: BCBA0B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Special instruction interceptor: First address: AA7DE5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Special instruction interceptor: First address: AB0E9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Special instruction interceptor: First address: 976F4B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Special instruction interceptor: First address: A03AD1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Special instruction interceptor: First address: 994FF7 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Memory allocated: 50D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Memory allocated: 5360000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Memory allocated: 5170000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Code function: 0_2_04A5046D rdtsc

0_2_04A5046D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1230	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1243	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1227	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1236	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window / User API: threadDelayed 3684
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window / User API: threadDelayed 4742
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Window / User API: threadDelayed 4618

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341590101\1c2040cc08.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341650101\TbV75ZR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341660101\f73ae_003.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341640101\7IIl2eE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341680101\e051231d4e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\7IIl2eE[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\f73ae_003[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\TbV75ZR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\WLbfHbp[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341630101\BIm18E9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\BIm18E9[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341670101\WLbfHbp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341600101\871714e72e.exe	Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe

Registry key enumerated: More than 123 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7020	Thread sleep count: 516 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7020	Thread sleep time: -1032516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6036	Thread sleep count: 1230 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6036	Thread sleep time: -2461230s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5400	Thread sleep count: 254 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5400	Thread sleep time: -7620000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2932	Thread sleep count: 1203 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2932	Thread sleep time: -2407203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5956	Thread sleep count: 1243 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5956	Thread sleep time: -2487243s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5988	Thread sleep count: 1227 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5988	Thread sleep time: -2455227s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2680	Thread sleep count: 1236 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2680	Thread sleep time: -2473236s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 3852	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 3804	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 6112	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 4552	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 5580	Thread sleep time: -60030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 4112	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 5192	Thread sleep time: -58029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 7036	Thread sleep time: -44022s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 596	Thread sleep count: 113 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 596	Thread sleep time: -226113s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 3320	Thread sleep count: 97 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 3320	Thread sleep time: -194097s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1880	Thread sleep count: 107 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1880	Thread sleep time: -214107s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1580	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 332	Thread sleep count: 83 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 332	Thread sleep time: -166083s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 4092	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1936	Thread sleep count: 86 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1936	Thread sleep time: -172086s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 2004	Thread sleep count: 86 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 2004	Thread sleep time: -172086s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 760	Thread sleep count: 95 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 760	Thread sleep time: -190095s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1672	Thread sleep count: 3684 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 1672	Thread sleep time: -7371684s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6484	Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6484	Thread sleep time: -140070s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6636	Thread sleep count: 80 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6636	Thread sleep time: -160080s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6552	Thread sleep count: 76 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6552	Thread sleep time: -152076s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 4976	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6524	Thread sleep count: 77 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6524	Thread sleep time: -154077s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 5644	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6496	Thread sleep count: 4742 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6496	Thread sleep time: -9488742s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6464	Thread sleep count: 4618 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6464	Thread sleep time: -9240618s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6596	Thread sleep count: 63 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6596	Thread sleep time: -126063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6668	Thread sleep count: 68 > 30
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe TID: 6668	Thread sleep time: -136068s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe TID: 696	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 3896	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 6360	Thread sleep count: 198 > 30
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe TID: 6360	Thread sleep time: -1188000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe TID: 7796	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe TID: 8524	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 9112	Thread sleep time: -180000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CF05070 strlen,PR_SetError,strcpy,_mbsdec,strlen,_mbsinc,_mbsinc,FindFirstFileA,GetLastError,

13_2_6CF05070

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CDEEBF0 PR_GetNumberOfProcessors,GetSystemInfo,

13_2_6CDEEBF0

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\	Jump to behavior

Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: 4aa1430779.exe, 0000000E.00000003.1978892837.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2168922742.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000587074.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2163619372.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2065097809.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1565304796.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2012964062.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2043476594.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2191743768.000000000116E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?!
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: 4aa1430779.exe, 4aa1430779.exe, 0000000C.00000003.1545021900.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1561781127.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1440892277.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1555058525.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000002.1694992949.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001534000.00000004.00000020.00020000.00000000.sdmp, 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.1978892837.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2168922742.000000000116E000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000003.2000587074.000000000116E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000027.00000002.1876711895.000001A33931D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000127A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696497155p
Source: rRYQiGZ4K3.exe, 00000000.00000003.912412127.0000000000B33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: 98f2fbda18.exe, 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: firefox.exe, 00000027.00000002.1877453463.000001A339740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7xO
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: rRYQiGZ4K3.exe, 00000000.00000003.912412127.0000000000B43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: rapes.exe, rapes.exe, 00000002.00000002.973644661.0000000000F7D000.00000040.00000001.01000000.00000007.sdmp, 4aa1430779.exe, 0000000C.00000002.1691607917.0000000000764000.00000040.00000001.01000000.0000000B.sdmp, 98f2fbda18.exe, 98f2fbda18.exe, 0000000D.00000002.2054293294.0000000000605000.00000040.00000001.01000000.0000000C.sdmp, 4aa1430779.exe, 0000000E.00000002.2179806377.0000000000764000.00000040.00000001.01000000.0000000B.sdmp, 43a132b865.exe, 00000019.00000002.1829513886.0000000000B18000.00000040.00000001.01000000.0000000E.sdmp, GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000002.1812328994.0000000000A88000.00000040.00000001.01000000.0000000F.sdmp, 98f2fbda18.exe, 00000022.00000002.2118980449.0000000000605000.00000040.00000001.01000000.0000000C.sdmp, b4ba663854.exe, 00000028.00000002.2086596627.0000000000958000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: firefox.exe, 00000027.00000002.1877453463.000001A339740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: firefox.exe, 00000027.00000002.1877453463.000001A339740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly\|q
Source: 4aa1430779.exe, 0000000C.00000002.1694075684.000000000136A000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000C.00000003.1687447852.000000000136A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@^;
Source: 4aa1430779.exe, 0000000E.00000003.2163619372.000000000112F000.00000004.00000020.00020000.00000000.sdmp, 4aa1430779.exe, 0000000E.00000002.2190586349.000000000112F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarep
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: rRYQiGZ4K3.exe, 00000000.00000003.912412127.0000000000B43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: firefox.exe, 00000027.00000002.1873927736.000001A338E2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: 98f2fbda18.exe, 0000000D.00000002.2059353162.0000000001565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWS
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: rRYQiGZ4K3.exe, 00000000.00000002.939510941.000000000027D000.00000040.00000001.01000000.00000003.sdmp, rapes.exe, 00000001.00000002.961053730.0000000000F7D000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 00000002.00000002.973644661.0000000000F7D000.00000040.00000001.01000000.00000007.sdmp, 4aa1430779.exe, 0000000C.00000002.1691607917.0000000000764000.00000040.00000001.01000000.0000000B.sdmp, 98f2fbda18.exe, 0000000D.00000002.2054293294.0000000000605000.00000040.00000001.01000000.0000000C.sdmp, 4aa1430779.exe, 0000000E.00000002.2179806377.0000000000764000.00000040.00000001.01000000.0000000B.sdmp, 43a132b865.exe, 00000019.00000002.1829513886.0000000000B18000.00000040.00000001.01000000.0000000E.sdmp, GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000002.1812328994.0000000000A88000.00000040.00000001.01000000.0000000F.sdmp, 98f2fbda18.exe, 00000022.00000002.2118980449.0000000000605000.00000040.00000001.01000000.0000000C.sdmp, b4ba663854.exe, 00000028.00000002.2086596627.0000000000958000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: b4ba663854.exe, 00000028.00000003.2067553213.000000000128A000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.1990455615.000000000128D000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000002.2095070327.000000000128A000.00000004.00000020.00020000.00000000.sdmp, b4ba663854.exe, 00000028.00000003.2057351254.000000000128A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWA
Source: b4ba663854.exe, 00000028.00000003.1864327502.0000000005BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GQBW1T0IDBJMVUA99J2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe

Code function: 0_2_04A5046D rdtsc

0_2_04A5046D

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CEBAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

13_2_6CEBAC62

Enables debug privileges

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEBAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_6CEBAC62
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEBB12A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		13_2_6CEBB12A

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 6388, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44F000
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 452000
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 460000
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BAD008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\rRYQiGZ4K3.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe "C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe "C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe "C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe "C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe "C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe "C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Uses taskkill to terminate processes

Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

13_2_6CF04760

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

13_2_6CDE1C30

Source: 01f5cbd84e.exe, 00000010.00000002.1780483809.0000000000662000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 4aa1430779.exe, 0000000C.00000002.1692155878.00000000007AA000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: XProgram Manager
Source: 98f2fbda18.exe	Binary or memory string: ZLProgram Manager
Source: 98f2fbda18.exe, 0000000D.00000002.2054293294.0000000000605000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ZLProgram Manager
Source: GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000002.1812328994.0000000000A88000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: Program Manager
Source: rapes.exe, rapes.exe, 00000002.00000002.973644661.0000000000F7D000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: iFProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CEBAE71 cpuid

13_2_6CEBAE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341540101\01f5cbd84e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341570101\4bEpXMZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341590101\1c2040cc08.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341590101\1c2040cc08.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341600101\871714e72e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341600101\871714e72e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341610101\4bEpXMZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341610101\4bEpXMZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341630101\BIm18E9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341630101\BIm18E9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341640101\7IIl2eE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341640101\7IIl2eE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341650101\TbV75ZR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341650101\TbV75ZR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341660101\f73ae_003.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341660101\f73ae_003.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341670101\WLbfHbp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341670101\WLbfHbp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341680101\e051231d4e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341680101\e051231d4e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341690101\f59cb4f3ef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341690101\f59cb4f3ef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341700101\e240a344bf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341700101\e240a344bf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341710101\d83a92e1f3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341710101\d83a92e1f3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341720101\4858284b54.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10341720101\4858284b54.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CEBA8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

13_2_6CEBA8DC

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Code function: 13_2_6CE08390 NSS_GetVersion,

13_2_6CE08390

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\10341550101\43a132b865.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1764997721.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.920543610.0000000005580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.969659947.0000000000D81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.939095274.0000000000081000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.960955925.0000000000D81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1294910068.0000000005320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1812105370.0000000000891000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.898483633.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: 01f5cbd84e.exe PID: 3908, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: 50.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.2005385880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2085781376.0000000000771000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2116887692.0000000000241000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1500600561.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2046590109.0000000000241000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1754107339.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 6388, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: Jaxx Desktop (old)
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: file__0.localstorage
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.000000000030C000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000002F5000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: multidoge.wallet
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 98f2fbda18.exe, 0000000D.00000002.2046590109.00000000003A7000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: at\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Searches for user specific document files

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\10341560101\b4ba663854.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe

Directory queried: number of queries: 2665

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\10341520101\4aa1430779.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: 01f5cbd84e.exe PID: 3908, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: 50.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 50.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000003.1799197026.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.2005385880.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2085781376.0000000000771000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.2059353162.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2116887692.0000000000241000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2136409519.000000000123B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1500600561.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2046590109.0000000000241000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.1754107339.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 98f2fbda18.exe PID: 6388, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 98f2fbda18.exe PID: 5028, type: MEMORYSTR

Contains functionality to start a terminal service

Source: rRYQiGZ4K3.exe	String found in binary or memory: net start termservice
Source: rRYQiGZ4K3.exe, 00000000.00000002.939095274.0000000000081000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: rRYQiGZ4K3.exe, 00000000.00000002.939095274.0000000000081000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rRYQiGZ4K3.exe, 00000000.00000003.898483633.0000000004820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rRYQiGZ4K3.exe, 00000000.00000003.898483633.0000000004820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000003.920543610.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000003.920543610.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000001.00000002.960955925.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000002.960955925.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000003.928915551.0000000005580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000002.00000002.969659947.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.969659947.0000000000D81000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000B.00000003.1294910068.0000000005320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1294910068.0000000005320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000003.1764997721.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000003.1764997721.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000002.1812105370.0000000000891000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: net start termservice
Source: GQBW1T0IDBJMVUA99J2.exe, 0000001E.00000002.1812105370.0000000000891000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC0C40 sqlite3_bind_zeroblob,	13_2_6CEC0C40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC0D60 sqlite3_bind_parameter_name,	13_2_6CEC0D60
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE8EA0 sqlite3_clear_bindings,	13_2_6CDE8EA0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CEC0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	13_2_6CEC0B40
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE6410 bind,WSAGetLastError,	13_2_6CDE6410
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE60B0 listen,WSAGetLastError,	13_2_6CDE60B0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDEC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	13_2_6CDEC050
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE6070 PR_Listen,	13_2_6CDE6070
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDEC030 sqlite3_bind_parameter_count,	13_2_6CDEC030
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CD722D0 sqlite3_bind_blob,	13_2_6CD722D0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE63C0 PR_Bind,	13_2_6CDE63C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE94C0 sqlite3_bind_text,	13_2_6CDE94C0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE94F0 sqlite3_bind_text16,	13_2_6CDE94F0
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE9480 sqlite3_bind_null,	13_2_6CDE9480
Source: C:\Users\user\AppData\Local\Temp\10341530101\98f2fbda18.exe	Code function: 13_2_6CDE9400 sqlite3_bind_int64,	13_2_6CDE9400

Windows Analysis Report
rRYQiGZ4K3.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

ID:	1649322
Product:	CloudBasic
Start time:	16:45:25
Start date:	26.03.2025
Sample:	rRYQiGZ4K3.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	df504a29ad522d6eabe6258886d296bc
SHA1:	70d007b95628877924e5a41cceabcba93bc46a80
SHA256:	c0472272fbb70a86f21f0b3f156a74e29c9cb3b9c56fefc5594e90879144d4b9
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report rRYQiGZ4K3.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
rRYQiGZ4K3.exe

Malware Threat Intel
Provided by